How to clear the cache which is used by AuthzGetInformationFromContext API?

Question

I have a domain and I use AuthzGetInformationFromContext API on the client machine to retrieve sid of the groups to which a user belongs.

It works fine. However, if I add the user to some group or remove him from some group on domain controller, this API will still show old list of groups. In the case, if i will wait 10 minutes or more, it will show updated list of groups.

I tried to do this on different computers and saw that the application will show updated list of groups at a different time. So, it's not a domain controller cache.

Also, my applications exits and starts again. So, it's not application level cache either.

So, I believe there is some computer level cache for group membership (retrieved through this API).

Does anybody know how to clear this cache programmatically or change some settings to decrease this 10 minutes interval to something shorter.

Answer 1

Accordig to this post and Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1, You can purge the Kerberos TGT (and all your service tickets) using something like klist purge (The tool is present on Windows Seven). You have to run the tool locally on the machine the user is logged in to.

You can find the source of Klist.exe in the Windows Platform SDK (the API in us is LsaCallAuthenticationPackage)

C:\Program Files\Microsoft SDKs\Windows\v7.0\Samples\security\authorization\klist