IsInRole & SID/Token Caching in .NET v1.1

• Previous message: Tom at SDI: "Re: CryptoAPI, System.Security.Cryptography Interoperability"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: IsInRole & SID/Token Caching in .NET v1.1"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: IsInRole & SID/Token Caching in .NET v1.1"
• Reply: Joseph E Shook: "Re: IsInRole & SID/Token Caching in .NET v1.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 15 Jul 2005 14:43:05 -0700

I have a win2003 server that needs to do IsInRole queries aganist users
("targets") other than the thread-executing user (the "operator"). The class
I'm building will be used by ASP.NET apps and also by Windows Services.

I know about using protocol transition to get an unauthenticated
WindowsIdentity from the target UPNName, then getting the corresponding
WindowsPrincipal and doing an IsInRole on that. Works great, if a little
slow.

But if I then change the target user's group membership in AD on our DC and
re-execute the code, the update isn't reflected in the results. Apparently
my local server is caching the underlying SID / token data someplace.
Stopping & restarting my WinService app does NOT trigger a refresh.

Eventually, usually after several minutes, the update propagates & I get
correct results again. (Presumably after the entry gets flushed from
aforesaid cache due to age / LRU??). So I conclude the issue is somewhere in
the bowels of Win2003 SID / LSSAS processing, about which I have no clue.

Is there an accessible cache-flush function I could wrap and then call from
.NET? Or at least something to force a fresh look at the particluar target
WindowIdentity / WindowsPrincipal I'm interested in? Would calling it
destroy the performance of the IIS server my app is running on?

Thanks in advance,
Mark Seward, MCAD .NET

• Previous message: Tom at SDI: "Re: CryptoAPI, System.Security.Cryptography Interoperability"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: IsInRole & SID/Token Caching in .NET v1.1"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: IsInRole & SID/Token Caching in .NET v1.1"
• Reply: Joseph E Shook: "Re: IsInRole & SID/Token Caching in .NET v1.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]