Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, November 13, 2014 10:45 PM
I've been trying to understand this two settings but I am still very confused. Can someone help?
All replies (7)
Friday, November 14, 2014 6:44 PM ✅Answered
If you create a webapplication in SharePoint 2013 this webapp is based on claims. So we are using Windows Claims sign-in. This means, that the AD group information are converted into claims and packed into security token which is issued by the Security Token Service (STS).
These security tokens have a default lifetime which is defined in the WindowsTokenLifeTime property of the SecurityTokenServiceConfig. The default value is set to 10 hours or 600 mins.
The next property is LogonTokenCacheExpirationWindow.
This property controls when SharePoint will consider that the security token has expired and ask the user to re-authenticate. SharePoint checks the expiration of the security Token at the start of every request. The default value is set to 10 minutes.
So LogonTokenCacheExpirationWindow has to be smaller than the WindowsTokenLifetime! so that Sharepoint can update the security token after it is expired.
Hope it helps!
Thanks, Ransher Singh, MCP, MCTS | Click Vote As Helpful if you think that post is helpful in responding your question click Mark As Answer, if you think that this is your answer for your question.
Friday, November 14, 2014 9:59 PM ✅Answered
I've seen a lot of posts online mention the formula: WindowsTokenLifeTime minus LogonTokenCacheExpirationWindow is the time after first request that SharePoint decides the security token has expired.
For example, if WindowsTokenLifeTime is 10 minutes, LogonTokenCacheExpirationWindow is 2 minutes, then after (10 minutes - 2 minutes) = 8 minutes, SharePoint will decide that the security token has expired.
Is this correct?
Friday, November 14, 2014 10:05 AM
Hi,
pls check the link for explanation.
http://sharepoint.stackexchange.com/questions/112639/token-life-time-and-expiration
Please remember to click 'Mark as Answer' on the answer if it helps you
Friday, November 14, 2014 6:09 PM
Thanks. That may help a bit. The place I got confused is what's the difference between a token "lifetime" and token "cache expiration window"? Default value of a token "lifetime" is 10 hours, so the token is said to be live for 10 hours. Default value of "cache expiration window" is 10 minutes. How's that works together? Why do I care a cache expiration window?
Friday, November 14, 2014 6:56 PM
If a security token is set up expired after 10 minutes and a new token is issued by re-authentication, why a token lifetime of 10 hours?
Friday, November 14, 2014 7:58 PM
The security token will expire only after 10 hours.This is the life of the security token.
LogonTokenCacheExpirationWindow expiration is the time after the start of every request which sharepoint will check if the token is expired or not. This is like a checkpoint for sharepoint to keep checking if the token is expired or not.
Thanks, Ransher Singh, MCP, MCTS | Click Vote As Helpful if you think that post is helpful in responding your question click Mark As Answer, if you think that this is your answer for your question.
Monday, November 24, 2014 3:12 AM
Hi Jane,
Yes, you could learn the example from this article:
Regards,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .
Rebecca Tu
TechNet Community Support