Re: refreshing windowsidentity for user group changes
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 22 Sep 2007 15:22:28 -0500
Make sure your perf doesn't suffer too much by disabling the caching. You
might want to leave it in, but set it to a lower value.
Glad you found the setting. I was in too much of a hurry when I replied to
do the search for you. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"zee" <zee@xxxxxxxxxxxxxxxxx> wrote in message
news:909FF2FC-1545-4224-95B9-606FD183C1CA@xxxxxxxxxxxxxxxx
Thanks for the quick reply.
You were right about the caching of the S4U token. I am using the
WindowsIdentity constructor that just takes the UPN and it does get cached
for approx. 10 minutes. By changing the following registry setting and
rebooting the server, I was able to disable the caching and see the AD
group
changes immediately.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\"CacheS4UTickets"=dword:00000000
Thanks for your help.
"Joe Kaplan" wrote:
Are you saying that you use the WindowsIdentity constructor that just
takes
the UPN (single string)? In that case, you are using the Windows
"protocol
transition" (Kerberos S4U) to create the token.
My understanding is that the local security authority caches the S4U
token
to provide better performance. If there was a way to change this caching
behavior, it would likely be via a registry setting. You might do some
searches along those lines.
The .NET stuff here is really just a thin wrapper around the LsaLogonUser
Windows API call and doesn't control this behavior at all.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"zee" <zee@xxxxxxxxxxxxxxxxx> wrote in message
news:15B59E1A-6BF4-4030-AD90-7AAC4C56D09D@xxxxxxxxxxxxxxxx
I have a custom application that creates the windowsidentity from user
UPNs
and uses it to perform authorization. if a user is removed from an AD
group
while the application is running, the application disposes the
windowsidentity and creates a new one but the windowsidentity.Groups
still
contains the user group that the user was removed from. Are the
token/groups
for a user cached? If so, how can we get rid of it so as to reflect the
change immediately?
.
- References:
- Re: refreshing windowsidentity for user group changes
- From: Joe Kaplan
- Re: refreshing windowsidentity for user group changes
- Prev by Date: Re: refreshing windowsidentity for user group changes
- Next by Date: Are XML Signatures secure?
- Previous by thread: Re: refreshing windowsidentity for user group changes
- Next by thread: Are XML Signatures secure?
- Index(es):
Relevant Pages
|
