Enumerating Groups using WindowsIdentity.GetCurrent() returns old set of groups

Question

I have a user that when I attempt to enumerate her groups using either System.Security.Principal.WindowsIdentity.GetCurrent().Groups on user's computer or System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups on the IIS server, I get a list of their old groups, not their new.

I have checked the DC that they authenticate to and the ASP.NET page is running inside a SharePoint instance so the LogonUserIdentity most like is being provided from there Kerberos ticket.

Should I be looking up the groups directly from the AD instead of relying on the WindowsIdentity or LogonUserIdentity?

Answer 1

If you use WindowsIdentity or LogonUserIdentity, it's going to retrieve the group information from the authorization data stored in the Kerberos ticket-granting ticket (TGT).

It's powerful and useful because once you are authenticated and you get the Kerberos TGT, you don't need to query Active Directory again to get all the group information. Actually, group enumeration is pretty expensive and complicated. Therefore, the Kerberos ticket approach is preferred and this approach is being used when you access any Windows resources.

However, this also means that after you add your user account to a group, WindowsIdentity or LogonUserIdentity approach won't know the newly added groups. You have to purge your Kerberos ticket and get it again. You can logoff and then logon or you can lock your screen and type in the password to unlock your screen.

If for some reasons, you still want to do the group enumeration yourself, I recommend you to use UserPrincipal.GetAuthorizationGroups in .NET 3.5. It returns all the security groups a user belongs to.