Posts Tagged ‘Kerberos’

Permissions delay when using Kerberos and Security Groups #SP2010 #SharePoint #in

May 18, 2012 1 comment

At one of our clients recently we had a support issue concerning a delay in permissions being applied in a SharePoint 2010 environment.

Environment Details:

  • SharePoint Server 2010 – Enterprise: SP1 – Dec 2011 CU
  • Authentication: Kerberos


  • Site Administrators add an Active Directory security group into a SharePoint group for permissions.
  • The security group has 9 users and permissions are applied accordingly.
  • Later down the line a system admin adds a users into the security group giving it 10 members instead.
  • No changes have been made to the SharePoint group security.


The 10th member is not immediately given the rights of the SharePoint group.  However, after some time has passed (with no changes being made), the permissions are applied to the 10th member.

The amount of time is not fixed but is definitely no more than a standard working day.


After investigation and replicating the issue back at the office, we found this:

In particular, we found these settings:

Maximum lifetime for user ticket Determines the maximum amount of time (in hours) that a user’s TGT can be used. When a user’s TGT expires, a new one must be requested or the existing one must be renewed. By default, the setting is ten hours.
Maximum lifetime for user ticket renewal Determines the longest period of time (in days) that a TGT can be used if it is repeatedly renewed. By default, the setting is seven days.

So the issue is that the Kerberos token is being cached therefore the permissions are not being enforced until the token has expired.

Now, 10 hours to wait is a very long time but given that this is a forest wide setting, should we be changing this setting?  In this case we also realised that the token is re-issued whenever a user logs back in.

So when these issues occur and a support issue comes in we ask them to just log off and log back in again and then we are back to where we should be!

All sorted then…

To see this in action, we took a video to prove the scenario:

Categories: Work Tags: , ,
%d bloggers like this: