TechQA.

Time lag in changes to Active Directory security groups and User Roles

1k views Asked by At

I am using Active Directory to assign the roles for users in my web application. However I am finding that there seems to be a long time lag between changing a user security group allocation in AD, and those changes propagating to users who are using the application. In fact when I retrieve the roles for a user in C# from AD they are up to date, but when I run this code to view the roles for the user, they are not updated until the next day. How do I make the user role updates from AD instant?

var identity = WindowsIdentity.GetCurrent();
var groups = from sid in identity.Groups select sid.Translate(typeof(NTAccount)).Value;
foreach (var group in groups)
{
    groupName = group;
}
asp.net-mvc active-directory windows-authentication
Original Q&A
2

There are 2 answers

2
teo van kot On

This happens because Kerberos authorization info is stored in cache memory of local machine (Your app server), so you may not be able to get NOT up-to-date data.

You have 2 options:

  1. Force update ticket-granting ticket (TGT) on your server
  2. Use UserPrincipal.GetAuthorizationGroups to get your group not from app server but from AD.
0
Daro On

Remember the user's token is only updated when he logs in again. AD shows the user as a group member immediately, but the user only can exercise those rights after the group's SID is in his token.

So you either need to check AD to see if the user is a member of a specific group, or you must wait until the user logs in after the group assignment has been completed and replicated.

Related Questions in ASP.NET-MVC

Related Questions in ACTIVE-DIRECTORY

Related Questions in WINDOWS-AUTHENTICATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions