堆栈内存溢出
  简体   繁体   English

Active Directory安全组和用户角色更改的时滞

[英]Time lag in changes to Active Directory security groups and User Roles

 原文  2015-06-09 10:40:23       asp.net-mvc/ active-directory/ windows-authentication

问题描述

I am using Active Directory to assign the roles for users in my web application. 我正在使用Active Directory为我的Web应用程序中的用户分配角色。 However I am finding that there seems to be a long time lag between changing a user security group allocation in AD, and those changes propagating to users who are using the application. 但是,我发现在AD中更改用户安全组分配与这些更改传播给正在使用该应用程序的用户之间似乎存在很长的时间间隔。 In fact when I retrieve the roles for a user in C# from AD they are up to date, but when I run this code to view the roles for the user, they are not updated until the next day. 实际上,当我从AD中用C#检索用户的角色时,它们是最新的,但是当我运行此代码以查看该用户的角色时,直到第二天它们才更新。 How do I make the user role updates from AD instant? 如何从AD Instant更新用户角色? 

var identity = WindowsIdentity.GetCurrent();
var groups = from sid in identity.Groups select sid.Translate(typeof(NTAccount)).Value;
foreach (var group in groups)
{
    groupName = group;
}

2 个解决方案

解决方案1
 2  2015-06-09 13:49:30

This happens because Kerberos authorization info is stored in cache memory of local machine (Your app server), so you may not be able to get NOT up-to-date data. 发生这种情况是因为Kerberos授权信息存储在本地计算机(您的应用程序服务器)的缓存中,因此您可能无法获取最新数据。

You have 2 options: 您有2个选择:

  1. Force update ticket-granting ticket (TGT) on your server 在您的服务器上强制更新授予票证的票证(TGT)
  2. Use UserPrincipal.GetAuthorizationGroups to get your group not from app server but from AD. 使用UserPrincipal.GetAuthorizationGroups可以从应用服务器而不是从AD获取组。

解决方案2
 0  2015-06-19 20:12:40

Remember the user's token is only updated when he logs in again. 请记住,只有当用户再次登录时,用户的令牌才会更新。 AD shows the user as a group member immediately, but the user only can exercise those rights after the group's SID is in his token. AD立即将用户显示为组成员,但是只有在组的SID包含在其令牌中后,用户才能行使这些权利。

So you either need to check AD to see if the user is a member of a specific group, or you must wait until the user logs in after the group assignment has been completed and replicated. 因此,您要么需要检查AD以查看用户是否是特定组的成员,要么必须等到组分配完成并复制后用户才能登录。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Windows身份验证和活动目录组作为角色 - using windows authentication with active directory groups as roles 使用Active Directory组进行Windows身份验证 - Windows Authentication with Active Directory Groups Active Directory组未返回 - Active Directory Groups not being returned MVC 5中用于Active Directory身份验证的自定义角色 - Custom roles in MVC 5 for Active Directory authentication 为嵌套在组中的用户角色设置授权 - Set up authorization for user roles nested in groups Azure Active Directory用户未激活 - Azure Active Directory User Not Active ASP.NET Core 2 - AD 组未映射到安全角色 - ASP.NET Core 2 - AD Groups not mapping to security roles Active Directory组在创建后无法立即使用 - Active Directory groups not immediately available after creation 从Active Directory进行身份验证,但在MVC中从SQL数据库授权角色 - Authenticate from Active Directory but Authorize Roles from SQL Database in MVC 具有自定义角色和Active Directory的ASP MVC 5 Windows身份验证 - ASP MVC 5 Windows authentication with custom roles and Active Directory
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM