#337 Clean up Windows Auth

Author: Tratcher

src/Microsoft.Net.Http.Server/RequestProcessing/NativeRequestContext.cs

@@ -224,8 +224,14 @@ internal ClaimsPrincipal GetUser()
                     && info->InfoType == HttpApi.HTTP_REQUEST_INFO_TYPE.HttpRequestInfoTypeAuth
                     && info->pInfo->AuthStatus == HttpApi.HTTP_AUTH_STATUS.HttpAuthStatusSuccess)
                 {
-                    return new WindowsPrincipal(new WindowsIdentity(info->pInfo->AccessToken,
-                        GetAuthTypeFromRequest(info->pInfo->AuthType).ToString()));
+                    // Duplicates AccessToken
+                    var identity = new WindowsIdentity(info->pInfo->AccessToken,
+                        GetAuthTypeFromRequest(info->pInfo->AuthType).ToString());
+
+                    // Close the original
+                    UnsafeNclNativeMethods.SafeNetHandles.CloseHandle(info->pInfo->AccessToken);
+
+                    return new WindowsPrincipal(identity);
                 }
             }
             return new ClaimsPrincipal(new ClaimsIdentity()); // Anonymous / !IsAuthenticated

src/Microsoft.Net.Http.Server/RequestProcessing/Request.cs

@@ -7,6 +7,7 @@
 using System.Net;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
+using System.Security.Principal;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -303,6 +304,7 @@ internal void Dispose()
             // TODO: Verbose log
             _isDisposed = true;
             _nativeRequestContext.Dispose();
+            (User?.Identity as WindowsIdentity)?.Dispose();
             if (_nativeStream != null)
             {
                 _nativeStream.Dispose();