Re: Resetting IUSR user token
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 06/26/05
- Previous message: David Wang [Msft]: "Re: Trying to understand this behavior, Ports in IIS"
- In reply to: Ard: "Resetting IUSR user token"
- Next in thread: Ard: "Re: Resetting IUSR user token"
- Reply: Ard: "Re: Resetting IUSR user token"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jun 2005 03:30:09 -0700
IIS does not expose any programmatic access for users to insert/invalidate
any of its internal caches, so you will have to find a workaround. I do not
understand why you ACL the folder to only the new local group -- why don't
you ACL the folder to also include Authenticated Users or IUSR since the
effective ACL does not change -- but now you do not get affected by the
token cache.
And I still think that your design of inserting IUSR into various Windows
user groups to be weird. It is not clear to me what you are actually gaining
vs what I had described earlier. Why are you adding IUSR to various user
groups?
The real issue here is that when a user account's group membership changes,
there is no way for IIS to get a change notification -- or else the token
cache would just work. Giving programmatic access for users to
insert/invalidate the token cache is clearly not the solution; it is just
one of many possible workarounds.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Ard" <Ard@discussions.microsoft.com> wrote in message news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com... Folks, Maybe someone can help me out here. I'm working on an ASP web application on a w2k server with iis 5. The application dynamically creates folders and uses adsi to create local windows groups that have access to these folders. Because the group 'authenticated users' is member of one of the new windows groups, the IUSR account should have access to the new folder. But because the IUSR user token is cached for 15 mins anonymous users can't immediately access this folder, but have to wait untill the TimeToLive for the IUSR token has expired. Because of the performance penalty i don't want to reduce the UserTokenTTL for all users. (The possible solution described in KB152526.) Is it possible to force the expiration of the IUSR user token? If I can expire just this one token immediately after creating the windows groups, the problem should be solved. Does anyone know a way to accomplish this?
- Previous message: David Wang [Msft]: "Re: Trying to understand this behavior, Ports in IIS"
- In reply to: Ard: "Resetting IUSR user token"
- Next in thread: Ard: "Re: Resetting IUSR user token"
- Reply: Ard: "Re: Resetting IUSR user token"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
