IIS user credentials caching

From: Nayden Kolev (naydencho_at_HOTMAIL.COM)
Date: 11/29/03 

Date:         Fri, 28 Nov 2003 18:42:48 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello All,

Here is something I noticed on a Windows Server 2003 Enterprise... (it seems
it is also true for older versions of Windows Server and IIS)

I tested this on a newly installed Windows Server 2003 Enterprise (the
server is not in a domain.) I have a simple FTP site configured on the
server. The site is configured to NOT allow anonymous connections, only
"Windows Integrated" and I have a few user names created locally on the
server. I set passwords for those, and tried logging on. All is good.

Then I reset the password of one of the users and tried logging on with the
new password - did not work! I tried with the OLD password and it DID work!
I tried that a few more times, same result.

After some trial and error testing I found out that the password change
takes effect after approximately 15 min, sometimes even longer. It seems to
take effect immediately if you restart IIS. Also, disabling the account has
the same end result behavior as resetting the password - you can logon with
that account for 15 min after disabling it.

I would think stuff like that would/should take effect immediately,
especially as the accounts are local and there is not AD sync to take effect
(even those are almost immediate...)

I found some info on it (although my testing showed slightly different
results) in KB210992 - apparently this is "by design"...

So, I just thought I'd mention it...

Nay

_________________________________________________________________
Share holiday photos without swamping your Inbox. Get MSN Extra Storage
now! http://join.msn.com/?PAGE=features/es

-----
Out of Office replies to list messages cause you to be unsubscribed
automatically. Either subscribe a Public Folder, or ensure your rules are
set to ensure list messages are filtered prior to your Out of Office reply.
Such automatic replies are a bane to posters, and cause us to have fewer
researchers post to NTBugtraq.
-----

Relevant Pages

  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
    (microsoft.public.inetserver.iis)
  • RE: Anybody seen this error?
    ... This error is caused when the IIS common files fail when making ADSI calls ... account doesn't have the correct access to the IIS metabase. ... I (Admin) have a separate administrative account with all rights. ... | Active Directory Services cannot find the web server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Anonymous Account not working
    ... the Iusr_ you are using may have been defined before the final ... IIS install on that box. ... I think the problem may be with the local account. ... built the server there was another server that was named WEB02, ...
    (microsoft.public.inetserver.iis.security)
  • RE: SBS 2003/member Web Server and ISUR access
    ... NTFS permissions for the directories and files ... the IIS content directories have the following permissions. ... Server Extensions, ASPNET, SQL Server and other software is installed. ... The IUSR_MachineName account has the following permissions. ...
    (microsoft.public.windows.server.sbs)