I’m encountering an issue wherein Windows authenticated user roles appear to be cached and are not updated until I restart the application. While a user's roles will not change often they do change and can change before an application restart is performed.

I am hosting my ASP.NET Core 2 application on IIS via Kestrel and the ASP.NET Core Module. Via the AuthorizeFilter I have a global policy which requires authenticated users. Users are not prompted for credentials but are instead authenticated via integrated Windows Authentication. Below are snippets of my application configuration that pertain to server host configuration, authentication and authorization:

Snippets from Program.cs

private static IWebHost BuildWebHost(string[] args) => WebHost.CreateDefaultBuilder(args) .UseKestrel(options => { options.Limits.KeepAliveTimeout = TimeSpan.FromMinutes(30); }) .UseIISIntegration() .Build();

Snippets from Startup.cs

Authentication Configuration

services.AddAuthentication(options => { options.DefaultScheme = IISDefaults.AuthenticationScheme; options.DefaultForbidScheme = IISDefaults.AuthenticationScheme; });

Authorization Configuration

services.AddAuthorization(options => { options.AddPolicy("RequireAuthenticatedUser", policyBuilder => policyBuilder.RequireAuthenticatedUser()); });

Addition of Global AuthorizeFilter :

services.AddMvc(mvcOptions => { mvcOptions.Filters.Add(new AuthorizeFilter("RequireAuthenticatedUser")); });

Snippet from launchSettings.json

{ "iisSettings": { "windowsAuthentication": true, "anonymousAuthentication": true, "iisExpress": { "applicationUrl": "http://localhost:4100", "sslPort": 0 } } }

All of this works wonderfully and users are required to authenticate and I am able to retrieve their Active Directory roles. Sadly, when those roles change without an application restart I am unable to get an updated list of roles. Meaning that users who should have access do not and those that should no longer have access still do. All of my role checking is based on the ClaimsPrincipal.IsInRole("xyz") , which remains stagnant from when the user first authenticated. However, if I use System.DirectoryServices.AccountManagement to check the user's current roles within Active Directory they are clearly updated (for production want to use built in functionality and don't want to resort to this).

What configuration changes, cache invalidation or session reset do I need to perform to ensure that when a user's AD roles change my application will reflect their current roles?