Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I ensure that IsInRole checks are not using cached credentials

I have a WPF client that connects to a WCF service, and I want to lock down some of the functionality so that only certain users can perform certain actions. The WCF service impersonates the client user when executing service methods. The OS is Windows XP.

I was reading this question as part of my investigation into the best way to apply user roles to features in my application (I want to assign users to AD security groups, and then check IsInRole), and am worried that cached permissions will allow users who have had their permissions reduced to access functionality they no longer have permission to. Conversely, I am also worried that users who have had their permissions upgraded will need to log out of their windows account, or even that the WCF service might have to be restarted (worst case scenario) before they can access the new functionality.

What is the simplest way to ensure that both client and server can immediately see changes to the AD security groups?

like image 927
Franchesca Avatar asked Jul 14 '11 09:07

Franchesca


People also ask

What is cached authentication?

User authentication caching refers to storing the users' Verify credentials in Verify after their first-time successful authentication. Enable and configure the caching of user credentials to improve performance and to avoid any impact on user login during an MaaS360® release downtime.

What is cached logon count?

The Cached Logons Count in registry defines how many logins should be cached locally, and thus allow you to login if you can't reach your DC. With default configuration cached logins never expire.


1 Answers

You can always implement your own membership provider that queries the AD. It's pretty easy and you'll be sure that all permission evaluations are accurate, or at least exactly as you want them to be.

If you find querying the AD server on each evaluation to be "expensive" on performance you can create your own cache on the client which you can force to refresh periodically or on demand. This cache can be as simple as an indexed list (like a Dictionary) of permissions that you can query pretty fast.

Here's a good article on how to interact with AD: http://www.codeproject.com/KB/system/everythingInAD.aspx

like image 196
AlexCode Avatar answered Oct 23 '22 05:10

AlexCode