WindowsIdentity role caching in ASP.NET

Sorry, I obiously meant WindowsPrincipal, not WindowsIdentity.

My guess is that the LSA is caching the token, not the WindowsPrincipal.
Those are generally created new with each ASP.NET request in the pipeline.

Joe K.

I have verified that it is not the WindowsPrincipal, however it is certainly
not the case that every new request is getting a new token. Nor every new
session. These are the steps to reproduce:

1. Make a request that authenticates as a user who is NOT a member of the
role. IsInRole returns false and an appropriate error is thrown.
2. On the server, add that user to the role in the group editor.
3. Refresh the browser. IsInRole still returns false.
4. Close the browser and open a new browser instance, authenticating again.
IsInRole continues to return false.
5. Stop and start W3SVC, IsInRole now correctly returns true.

I have noticed that allowing enough time to pass (maybe 30 minutes) also
seems to correct the situation, I think this may be because the ASP.NET app
is being recycled, but I'm not sure about this. At any rate, I have done
some tests and determined that the token is cached for the lifetime of a
Logon session, and that Logon sessions for a particular user seem to persist
between requests and sessions.

I wasn't suggesting that every new request was getting a new token, just
that they were getting a new .NET WindowsIdentity and WindowsPrincipal to
wrap the token. Sorry if I was unclear.

I think your ****ysis is correct, although it isn't totally clear to me what
governs the behavior. From what you report, it does look like it has
something to do with the worker process lifetime though.

Just out of curiosity, do you get different results with Basic auth. vs.
IWA? My guess is that you would, but I'm not certain about that.

Joe K.

You're right, IWA appears to refresh the token between sessions, it's not
necessary to bounce the service. IWA is actually the normal method of
accessing my application, but I had turned it off to make it easier to log
in as someone else.

Thanks for the tip,
Jeremy

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode test 33Switch to Hybrid Mode Switch to Threaded Mode

1 29th July 23:52 jeremy lew External User Posts: 1	WindowsIdentity role caching in ASP.NET Sorry, I obiously meant WindowsPrincipal, not WindowsIdentity.

2 29th July 23:58 joe kaplan mvp - adsi External User Posts: 1	WindowsIdentity role caching in ASP.NET My guess is that the LSA is caching the token, not the WindowsPrincipal. Those are generally created new with each ASP.NET request in the pipeline. Joe K.

5 30th July 00:01 jeremy lew External User Posts: 1	WindowsIdentity role caching in ASP.NET You're right, IWA appears to refresh the token between sessions, it's not necessary to bounce the service. IWA is actually the normal method of accessing my application, but I had turned it off to make it easier to log in as someone else. Thanks for the tip, Jeremy