Friday, March 10, 2006

WindowsPrincipal.IsInRole(...) and cached SID

There is something sinister here that I'm just not getting. There is an ASP.NET 1.1 application under IIS 6.0 with an application pool set to run under the context of a domain user. The application is removed so that we can upgrade it. The domain user is added to a machine local group with additional privileges. A new version of the application is installed and started up. Somewhere in its code the line WindowsPrincipal.IsInRole(string) is called (the parameter is the name of the machine local group), but that call fails. The event log shows a success audit for a logon attempt using explicit credentials, but the user's group membership isn't refreshed (even after an iisreset) until the machine is rebooted. If a SID is being cached, it can't be IIS that's doing it, and I'm tempted to believe it's Windows.