Re: Resetting IUSR user token
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 06/30/05
- Next message: Tom Kaminski [MVP]: "Re: IIS/NTFS persmissions help"
- Previous message: wolfeitz: "Re: IIS/NTFS persmissions help"
- In reply to: Ard: "Re: Resetting IUSR user token"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Jun 2005 15:38:09 -0700
Ah, ok. Well, glad the obvious solution is working out for you. :-)
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Ard" <Ard@discussions.microsoft.com> wrote in message news:E245B2A4-A8EC-4C03-9EB0-FD489F14EDD4@microsoft.com... Thanks for your reply I think in this case granting authenticated users direct access to the folder would be the way to go: so thanks for that suggestion. (It seems so obvious: why didn't I think of that one myself ??) As for the design of the application: it's one of these things that seem to happen to applications that exist for a number of years in a permanent state of development by different developers. (Still not a valid excuse, but it gets me of the hook doesn't it :-) Gr. Ard "David Wang [Msft]" wrote: > IIS does not expose any programmatic access for users to insert/invalidate > any of its internal caches, so you will have to find a workaround. I do not > understand why you ACL the folder to only the new local group -- why don't > you ACL the folder to also include Authenticated Users or IUSR since the > effective ACL does not change -- but now you do not get affected by the > token cache. > > And I still think that your design of inserting IUSR into various Windows > user groups to be weird. It is not clear to me what you are actually gaining > vs what I had described earlier. Why are you adding IUSR to various user > groups? > > The real issue here is that when a user account's group membership changes, > there is no way for IIS to get a change notification -- or else the token > cache would just work. Giving programmatic access for users to > insert/invalidate the token cache is clearly not the solution; it is just > one of many possible workarounds. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Ard" <Ard@discussions.microsoft.com> wrote in message > news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com... > Folks, > > Maybe someone can help me out here. > > I'm working on an ASP web application on a w2k server with iis 5. > The application dynamically creates folders and uses adsi to create local > windows groups that have access to these folders. > Because the group 'authenticated users' is member of one of the new windows > groups, the IUSR account should have access to the new folder. But because > the IUSR user token is cached for 15 mins anonymous users can't immediately > access this folder, but have to wait untill the TimeToLive for the IUSR > token > has expired. > > Because of the performance penalty i don't want to reduce the UserTokenTTL > for all users. (The possible solution described in KB152526.) > > Is it possible to force the expiration of the IUSR user token? If I can > expire just this one token immediately after creating the windows groups, > the > problem should be solved. > > Does anyone know a way to accomplish this? > > > > > > >
- Next message: Tom Kaminski [MVP]: "Re: IIS/NTFS persmissions help"
- Previous message: wolfeitz: "Re: IIS/NTFS persmissions help"
- In reply to: Ard: "Re: Resetting IUSR user token"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
