Re: ASP.NET - Basic/SSL - Changes in user group membership delayed

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 12/09/04 

Date: Thu, 9 Dec 2004 14:32:11 -0600

It could be that IIS is caching token handles in its own process memory and
reusing those or might be that killing IIS causes the token to get removed
from the box.

I'd still ask the server guys, but this question might need to go to the
guys who do IIS specifically. Like I said, I was just guessing. It
definitely appears that somewhere in the chain, a slightly outdated version
of the user's token is being used, so it must be getting cached somewhere.
We just don't know the details.

If you find the real answer, please let us know.

Joe K.

"Svante" <Svante@discussions.microsoft.com> wrote in message
news:154BABF8-2D9C-4B4A-87CC-1E13266AAC58@microsoft.com...
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> I actually wouldn't be surprised if the token on the server was getting
>> reused and that would be a good explanation for the problem. If the
>> kerberos ticket is cached on the server, it might not get refreshed right
>> away. I'm pretty sure the server isn't going to make a round trip to the
>> KDC for every single authentication. This is probably a better question
>> for
>> the Windows server guys though to get the details of how the LSA is
>> handling
>> this.
> (snip)
>
> Thank you for your support :-) The only problem I have with your
> suggestion
> of going to the server guys is that it appears to be strictly related to
> IIS
> (ASP.NET Worker Process?). If I restart IIS the changes are effective
> immediately.
>
> How would that affect the server's basic caching of credentials?
>
> Svante
>

Relevant Pages

  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
    (Securiteam)
  • Re: Problem with connect computer wizard
    ... Make sure the Windows XP client is pointing to the SBS 2003 server as ... Please collect the IIS metabase and the latest IIS log files further ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: IIS Key pairs (how to export an IIS 4.0 self-issued Root CA a nd import into new IIS 4.0 box)
    ... IIS key to an Intel SSL acelerator ... it issues client certificates to the end users. ... Step I - Installing the New Server ... Install NT SP 3 ONLY ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... we can conclude the SBS 2003 SP1 has been applied ... Please help me collect the IIS metabase to check ... and using server management console to reproduce the problem. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • FW: Microsoft Security Advisory MS 03-007
    ... am trying to find a vulnerability tester/script and I could test it out ... Department of the Army server that had been compromised and that this ... announcement covers IIS 5.1 but not IIS 6, ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ...
    (Focus-Microsoft)