Re: IsInRole & SID/Token Caching in .NET v1.1

From: Joseph E Shook (joeshook_at_deploymentCentric.com)
Date: 07/18/05 

Date: Mon, 18 Jul 2005 11:06:24 -0700

Remember also that if you update group membership on a domain, it takes
time for that membership information to propogate to all the physical
domain controllers, thus when you restart your service (login the
service account) it is most likely not creating a login session with the
same physical box.

Mark Seward wrote:
> I have a win2003 server that needs to do IsInRole queries aganist users
> ("targets") other than the thread-executing user (the "operator"). The class
> I'm building will be used by ASP.NET apps and also by Windows Services.
>
> I know about using protocol transition to get an unauthenticated
> WindowsIdentity from the target UPNName, then getting the corresponding
> WindowsPrincipal and doing an IsInRole on that. Works great, if a little
> slow.
>
> But if I then change the target user's group membership in AD on our DC and
> re-execute the code, the update isn't reflected in the results. Apparently
> my local server is caching the underlying SID / token data someplace.
> Stopping & restarting my WinService app does NOT trigger a refresh.
>
> Eventually, usually after several minutes, the update propagates & I get
> correct results again. (Presumably after the entry gets flushed from
> aforesaid cache due to age / LRU??). So I conclude the issue is somewhere in
> the bowels of Win2003 SID / LSSAS processing, about which I have no clue.
>
> Is there an accessible cache-flush function I could wrap and then call from
> ..NET? Or at least something to force a fresh look at the particluar target
> WindowIdentity / WindowsPrincipal I'm interested in? Would calling it
> destroy the performance of the IIS server my app is running on?
>
> Thanks in advance,
> Mark Seward, MCAD .NET
>

Relevant Pages

  • Re: Domain Local group and Require strong. GPO Problem
    ... Microsoft MVP (Windows Server System: ... >> controller that is not capable of encrypting secure channel traffic with ... >> that all such domain controllers must be running Windows 2000 or later ... >> Session keys used to establish secure channel communications between ...
    (microsoft.public.win2000.security)
  • Re: Group Policy broke my DCs
    ... to be very careful with tweaking services on domain controllers. ... Group Policy - security policy at the OU level which makes it much easier to ... complied from the Windows 2003 Server Security guide for baseline core ... Server - automatic ...
    (microsoft.public.windows.group_policy)
  • Re: Group Policy broke my DCs
    ... > need to be very careful with tweaking services on domain controllers. ... > Group Policy - security policy at the OU level which makes it much easier ... > is complied from the Windows 2003 Server Security guide for baseline core ...
    (microsoft.public.windows.group_policy)
  • Re: WindowsTokenRoleProvider & Domain Groups
    ... It looks to me that if Windows auth in ASP.NET works for you, ... just use Context.User.IsInRole to look at group membership. ... IIS vdir Directory Security is set to only Integrated Windows ... account to my domain account and leaving impersonate on. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: new domain setup
    ... (Primary Domain Controllers and Backup Domain Controllers). ... In Windows NT you had PDC and only on PDC were you able to create new users. ... How To View and Transfer FSMO Roles in Windows Server 2003 ...
    (microsoft.public.windows.server.setup)