7

I'm using WindowsPrincipal's IsInRole method to check group memberships in WPF and Winforms apps. I'm generating an identity token which can be for any AD user (not necessarily the user who's actually logged into the computer--depending on what I'm doing I don't necessarily authenticate, I just use the basic informational level token (I think the proper name for it is "identity token").

The first time this code is run on a particular computer the operating system generates the identity token for the user specified. That token is then used by the IsInRole function to validate group memberships. It's fast so I really like it. However, subsequent calls to create the WindowsIdentity/WindowsPrincipal reference the existing token instead of creating a new one. The only way I know how to update the token is to log out of the computer or reboot (which clears the token cache). Does anyone know a better way to reset cached identity tokens?

Example Code C#:

Using System.Security.Principal;
WindowsIdentity impersonationLevelIdentity = new WindowsIdentity("Some_UserID_That_Isn't_Me", null);
WindowsPrincipal identityWindowsPrincipal = new WindowsPrincipal(impersonationLevelIdentity);
If (identityWindowsPrincipal.IsInRole("AN_AD_GROUP")) { ...

VB:

Imports System.Security.Principal
Dim impersonationLevelIdentity = New WindowsIdentity("Some_UserID_That_Isn't_Me", Nothing)
Dim identityWindowsPrincipal = New WindowsPrincipal(impersonationLevelIdentity)
if identityWindowsPrincipal.IsInRole("AN_AD_GROUP") then...
Jeff
  • 8,020
  • 34
  • 99
  • 157

2 Answers2

1

Not sure if this may resolve your issue, try calling the dispose method of WindowsIdentity class either directly or indirectly.

using (WindowsIdentity impersonationLevelIdentity = new WindowsIdentity("Some_UserID_That_Isn't_Me", null))
{
  // your code
}
Sridhar Mocherla
  • 117
  • 4
  • Unfortunately it doesn't have any affect. From it's behavior I think the security token is being stored by the operating system and the WindowsPrinciple is basically just a pointer to that object. (WindowsPrinciple has no destructor to call) Thus it persists between executions of the application. Wish I knew how to flush out that cache. – Jeff Sep 15 '16 at 19:20
  • Turns out I was wrong. It is caching, but I'm not sure it's on the OS--it may be on the AD side. Eventually when I create a new identityWindowsPrincipal it gets updated (correct) group memberships. – Jeff Sep 16 '16 at 02:32
  • In that case there probably is not a solution available programmatically except to query AD directly when you query AD you get updated results--unlike these security tokens which are not always up to date. Unfortunately, querying AD is slow--at least in our environment. – Jeff Sep 16 '16 at 12:41
  • Went ahead and granted the 50 point bounty to you Sridhar since I appreciate you jumping in and making a suggestion. – Jeff Sep 16 '16 at 16:56
0

Turns out I was wrong. It is caching, but it appears to be on the AD side. Eventually after I create a new identityWindowsPrincipal it gets updated to the correct group memberships.

Jeff
  • 8,020
  • 34
  • 99
  • 157