|
|
You're in the
iis security
group:Resetting IUSR user token
iis security:
Folks,
Maybe someone can help me out here. I'm working on an ASP web application on a w2k server with iis 5. The application dynamically creates folders and uses adsi to create local windows groups that have access to these folders. Because the group 'authenticated users' is member of one of the new windows groups, the IUSR account should have access to the new folder. But because the IUSR user token is cached for 15 mins anonymous users can't immediately access this folder, but have to wait untill the TimeToLive for the IUSR token has expired. Because of the performance penalty i don't want to reduce the UserTokenTTL for all users. (The possible solution described in KB152526.) Is it possible to force the expiration of the IUSR user token? If I can expire just this one token immediately after creating the windows groups, the problem should be solved. Does anyone know a way to accomplish this?
I don't see this is possible other than the KB or restart the IIS services
after you have created the account. -- Regards, Bernard Cheah http://www.microsoft.com/iis/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Ard" <Ard@discussions.microsoft.com> wrote in message news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com... > Folks, > > Maybe someone can help me out here. > > I'm working on an ASP web application on a w2k server with iis 5. > The application dynamically creates folders and uses adsi to create local > windows groups that have access to these folders. > Because the group 'authenticated users' is member of one of the new > windows > groups, the IUSR account should have access to the new folder. But because > the IUSR user token is cached for 15 mins anonymous users can't > immediately > access this folder, but have to wait untill the TimeToLive for the IUSR > token > has expired. > > Because of the performance penalty i don't want to reduce the UserTokenTTL > for all users. (The possible solution described in KB152526.) > > Is it possible to force the expiration of the IUSR user token? If I can > expire just this one token immediately after creating the windows groups, > the > problem should be solved. > > Does anyone know a way to accomplish this? > > >
IIS does not expose any programmatic access for users to insert/invalidate
any of its internal caches, so you will have to find a workaround. I do not understand why you ACL the folder to only the new local group -- why don't you ACL the folder to also include Authenticated Users or IUSR since the effective ACL does not change -- but now you do not get affected by the token cache. And I still think that your design of inserting IUSR into various Windows user groups to be weird. It is not clear to me what you are actually gaining vs what I had described earlier. Why are you adding IUSR to various user groups? The real issue here is that when a user account's group membership changes, there is no way for IIS to get a change notification -- or else the token cache would just work. Giving programmatic access for users to insert/invalidate the token cache is clearly not the solution; it is just one of many possible workarounds. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Ard" <Ard@discussions.microsoft.com> wrote in message Folks,news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com... Maybe someone can help me out here. I'm working on an ASP web application on a w2k server with iis 5. The application dynamically creates folders and uses adsi to create local windows groups that have access to these folders. Because the group 'authenticated users' is member of one of the new windows groups, the IUSR account should have access to the new folder. But because the IUSR user token is cached for 15 mins anonymous users can't immediately access this folder, but have to wait untill the TimeToLive for the IUSR token has expired. Because of the performance penalty i don't want to reduce the UserTokenTTL for all users. (The possible solution described in KB152526.) Is it possible to force the expiration of the IUSR user token? If I can expire just this one token immediately after creating the windows groups, the problem should be solved. Does anyone know a way to accomplish this?
Thanks for your reply
I think in this case granting authenticated users direct access to the folder would be the way to go: so thanks for that suggestion. (It seems so obvious: why didn't I think of that one myself ??) As for the design of the application: it's one of these things that seem to happen to applications that exist for a number of years in a permanent state of development by different developers. (Still not a valid excuse, but it gets me of the hook doesn't it :-) Gr. Ard [quoted text, click to view] "David Wang [Msft]" wrote:
> IIS does not expose any programmatic access for users to insert/invalidate > any of its internal caches, so you will have to find a workaround. I do not > understand why you ACL the folder to only the new local group -- why don't > you ACL the folder to also include Authenticated Users or IUSR since the > effective ACL does not change -- but now you do not get affected by the > token cache. > > And I still think that your design of inserting IUSR into various Windows > user groups to be weird. It is not clear to me what you are actually gaining > vs what I had described earlier. Why are you adding IUSR to various user > groups? > > The real issue here is that when a user account's group membership changes, > there is no way for IIS to get a change notification -- or else the token > cache would just work. Giving programmatic access for users to > insert/invalidate the token cache is clearly not the solution; it is just > one of many possible workarounds. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Ard" <Ard@discussions.microsoft.com> wrote in message > news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com... > Folks, > > Maybe someone can help me out here. > > I'm working on an ASP web application on a w2k server with iis 5. > The application dynamically creates folders and uses adsi to create local > windows groups that have access to these folders. > Because the group 'authenticated users' is member of one of the new windows > groups, the IUSR account should have access to the new folder. But because > the IUSR user token is cached for 15 mins anonymous users can't immediately > access this folder, but have to wait untill the TimeToLive for the IUSR > token > has expired. > > Because of the performance penalty i don't want to reduce the UserTokenTTL > for all users. (The possible solution described in KB152526.) > > Is it possible to force the expiration of the IUSR user token? If I can > expire just this one token immediately after creating the windows groups, > the > problem should be solved. > > Does anyone know a way to accomplish this? > > > > > >
Ah, ok. Well, glad the obvious solution is working out for you. :-)
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Ard" <Ard@discussions.microsoft.com> wrote in message Thanks for your replynews:E245B2A4-A8EC-4C03-9EB0-FD489F14EDD4@microsoft.com... I think in this case granting authenticated users direct access to the folder would be the way to go: so thanks for that suggestion. (It seems so obvious: why didn't I think of that one myself ??) As for the design of the application: it's one of these things that seem to happen to applications that exist for a number of years in a permanent state of development by different developers. (Still not a valid excuse, but it gets me of the hook doesn't it :-) Gr. Ard [quoted text, click to view] "David Wang [Msft]" wrote: > IIS does not expose any programmatic access for users to insert/invalidate > any of its internal caches, so you will have to find a workaround. I do not > understand why you ACL the folder to only the new local group -- why don't > you ACL the folder to also include Authenticated Users or IUSR since the > effective ACL does not change -- but now you do not get affected by the > token cache. > > And I still think that your design of inserting IUSR into various Windows > user groups to be weird. It is not clear to me what you are actually gaining > vs what I had described earlier. Why are you adding IUSR to various user > groups? > > The real issue here is that when a user account's group membership changes, > there is no way for IIS to get a change notification -- or else the token > cache would just work. Giving programmatic access for users to > insert/invalidate the token cache is clearly not the solution; it is just > one of many possible workarounds. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Ard" <Ard@discussions.microsoft.com> wrote in message > news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com... > Folks, > > Maybe someone can help me out here. > > I'm working on an ASP web application on a w2k server with iis 5. > The application dynamically creates folders and uses adsi to create local > windows groups that have access to these folders. > Because the group 'authenticated users' is member of one of the new windows > groups, the IUSR account should have access to the new folder. But because > the IUSR user token is cached for 15 mins anonymous users can't immediately > access this folder, but have to wait untill the TimeToLive for the IUSR > token > has expired. > > Because of the performance penalty i don't want to reduce the UserTokenTTL > for all users. (The possible solution described in KB152526.) > > Is it possible to force the expiration of the IUSR user token? If I can > expire just this one token immediately after creating the windows groups, > the > problem should be solved. > > Does anyone know a way to accomplish this? > > > > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |