Re: ASP.NET - Basic/SSL - Changes in user group membership delayed

From: Svante (Svante_at_discussions.microsoft.com)
Date: 12/08/04

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: windows pass through authentication\authorization...." 
    Date: Wed, 8 Dec 2004 07:13:05 -0800

    "Paul Clement" wrote:

    (snip)
    > ¤ Observation: But, it appears that the ASP.NET worker process, once it has
    > ¤ impersonated a user, will re-use that same user token when when the same user
    > ¤ is re-authenticated after having started a new browser.
    (snip)
    > Is there any chance your network configuration implements load balancing domain controllers, or are
    > you using a single domain controller.?
    Single in this case. Production is load balancing, and there's a known
    propagation delay between them in that case. That's not the problem here.

    > Based upon my understanding of authenticated credentials and the checking of permissions with
    > respect to resources and IIS, I don't think the description in your observation is possible.
    >

    The suggested model for explanation may well be wrong, but the basic
    observation is certainly possible....

    0 - I log on via Basic Authentication/SSL after browsing to my app. The app
    impersonates the authenticated user, and access a file wherafter I close the
    browser.
    1 - I remove the user from a group in Active Directory.
    2- I log on via Basic Authentication/SSL after browsing to my app. The app
    impersonates the authenticated users.
    3 - The app can access files that provably require membership in the just
    removed-from group, until I restart IIS (or probably restart ASP.NET worker
    process, I can't definitely say though since it takes too long time to wait,
    and I can't seem to just kill it manually).

    Svante

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: windows pass through authentication\authorization...."

    Relevant Pages