Re: refreshing windowsidentity for user group changes
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 21 Sep 2007 18:50:05 -0500
Are you saying that you use the WindowsIdentity constructor that just takes
the UPN (single string)? In that case, you are using the Windows "protocol
transition" (Kerberos S4U) to create the token.
My understanding is that the local security authority caches the S4U token
to provide better performance. If there was a way to change this caching
behavior, it would likely be via a registry setting. You might do some
searches along those lines.
The .NET stuff here is really just a thin wrapper around the LsaLogonUser
Windows API call and doesn't control this behavior at all.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"zee" <zee@xxxxxxxxxxxxxxxxx> wrote in message
news:15B59E1A-6BF4-4030-AD90-7AAC4C56D09D@xxxxxxxxxxxxxxxx
I have a custom application that creates the windowsidentity from user UPNs
and uses it to perform authorization. if a user is removed from an AD
group
while the application is running, the application disposes the
windowsidentity and creates a new one but the windowsidentity.Groups still
contains the user group that the user was removed from. Are the
token/groups
for a user cached? If so, how can we get rid of it so as to reflect the
change immediately?
.
- Prev by Date: RE: form authentication with AD
- Next by Date: Re: refreshing windowsidentity for user group changes
- Previous by thread: RE: form authentication with AD
- Next by thread: Re: refreshing windowsidentity for user group changes
- Index(es):
Relevant Pages
|
|
