ASP.NET Windows Role Provider (AspNetWindowsTokenRoleProvider) not noticing a user being added to a new group

Question

I am trying to create an application that uses <authorization> rules to limit the groups that are authorized to access the application. I am using Windows authentication and the Windows Role provider for ASP.NET (AspNetWindowsTokenRoleProvider). I am using local groups to define the roles, as the domain that I am developing on, and the domain that the app will eventually be deployed to will be different.

When I initially setup deployed my application to an IIS7 server, and I setup the site to use basic authentication, with the proper default domain, everything worked fine for the users that were already assigned to the authorized groups. However, when I attempted to add a new user to any of the authorized groups, this user was never authorized to access the application. I have done everything save for rebooting the machine. I restarted IIS as well as deleted all temporary files and cookies on the client side, to no avail.

It should be stated that this is an ASP.Net MVC app, though I didn't think that would really make any difference. Here are the pertinent entries from my web.config:

<!-- use windows authentication -->
<authentication mode="Windows" />

<!-- use the Windows role provider -->    
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />

<!-- global authorization rules -->
<authorization>
    <allow roles="admins,contractors"/>
    <deny users="*" />
</authorization>

For instance, let's say we have a user, "Domain\joe", that is not currently a member of the local "admins" group, but we want to add him. We go add him, and then when Joe attempts to login, he sees an error that he is not authroized (after several failed login attempts). No amount of IIS restarts or having Joe delete his cookies and other temporary files will solve this issue.

Is ASP.Net keeping some kind of secret role/group cache? How do you go about adding a new user to a group and then ensuring that the role provider will see that the user was added to a group?

Answer 1

It appears there is a delay between the time when a user is added or removed from a group, and the time when IIS will pick up on the change. There is a registry value you can set that to change the amount of time that user authentication tokens are cached, or disable caching all together. However, changing this value (UserTokenTTL) seemed to have no impact on the time it takes IIS to realize a user has been added to a group. The following page has more info about the UserTokenTTL registry key: http://support.microsoft.com/kb/954864