SharePoint (and Project Server) Shenanigans

At one of our clients recently we had a support issue concerning a delay in permissions being applied in a SharePoint 2010 environment.

Environment Details:

• SharePoint Server 2010 – Enterprise: SP1 – Dec 2011 CU
• Authentication: Kerberos

Scenario

• Site Administrators add an Active Directory security group into a SharePoint group for permissions.
• The security group has 9 users and permissions are applied accordingly.
• Later down the line a system admin adds a users into the security group giving it 10 members instead.
• No changes have been made to the SharePoint group security.

Problem

The 10th member is not immediately given the rights of the SharePoint group.  However, after some time has passed (with no changes being made), the permissions are applied to the 10th member.

The amount of time is not fixed but is definitely no more than a standard working day.

Solution

After investigation and replicating the issue back at the office, we found this:

http://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx

In particular, we found these settings:

So the issue is that the Kerberos token is being cached therefore the permissions are not being enforced until the token has expired.

Now, 10 hours to wait is a very long time but given that this is a forest wide setting, should we be changing this setting?  In this case we also realised that the token is re-issued whenever a user logs back in.

So when these issues occur and a support issue comes in we ask them to just log off and log back in again and then we are back to where we should be!

All sorted then…

To see this in action, we took a video to prove the scenario: