RE: HowTo Purge Windows (Server 2003) logon session

---

• From: Peke <peke@xxxxxxxxxxxxx>
• Date: Mon, 25 Feb 2008 23:05:03 -0800

---

Hi Jeffrey,

Sorry for the delay.

In our configuration we're using domain accounts as IIS application pool
identities.
I know this gives problems with Kerberos in a clustered environment (that's
why we disabled 'negotiate' and only allow NTLM).

Our policy is that a developer doesn't need to know the application account
and even can't find out (programmatically) what the password is for the
application account (which accesses the back-end).

If we would use the programmatic impersonation, the developer can get the
password because the account is created programmatically and the password
will be available.

If you have a better suggestion, please feel free.

When IIS starts (or after IISRESET), it creates a logon session (of type
batch) for every application pool identity. If the security for that account
changes, the changes are only available to the IIS application after
IISRESET. Stopping/starting the application pool doesn't help, it reuses the
available logon session.
So I assume that if I can purge the logon session en restart the application
pool, then IIS will create a new logon session.

Bottom line, I need the functionality of IISRESET for a specific application
pool.

Kind regards,

Peter

(BTW, I use logonsessions.exe from SysInternals to view the sessions).



""Jeffrey Tan[MSFT]"" wrote:

Hi Peter,

How about this issue now? If you still need any help, please feel free to
feedback, thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support

.

---

• Follow-Ups:
  • RE: HowTo Purge Windows (Server 2003) logon session
    • From: "Jeffrey Tan[MSFT]"

• References:
  • RE: HowTo Purge Windows (Server 2003) logon session
    • From: "Jeffrey Tan[MSFT]"

• Prev by Date: Re: User access rights within process on Vista
• Next by Date: Re: Effect of changing account password when already logged on
• Previous by thread: RE: HowTo Purge Windows (Server 2003) logon session
• Next by thread: RE: HowTo Purge Windows (Server 2003) logon session
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: sharepoint - service not available ... resolved the issue by restarting the IIS service under the ... This issue may occur if the application pool for the virtual server is ... * The application pool account uses an incorrect password. ... (microsoft.public.sharepoint.portalserver) Re: sql server and asp.net problem ... it does mention IIS 6 on Windows 2003 Server and how ... > The application pool setting can help speicify an asp.net web application ... > SERVICE account which is in the IIS_WPG group. ... (microsoft.public.dotnet.framework.aspnet) Re: Basic question on Windows Integrated Security ... IUSR_is not the default Web App Pool identity. ... IUSR_is used by IIS as the account to impersonate for requests ... Pool identity, and is configurable via the Application Pools node in the IIS ... (microsoft.public.inetserver.iis.security) Re: Running a script from an ASP page ... ProcessIdentity can be set in the IIS Manager UI. ... Identify the Application Pool your app runs in. ... anonymous user, you need to synchronize the username/password yourself. ... >>> or of the account given to the anonymous user to access cmd.exe. ... (microsoft.public.inetserver.iis.security) Re: Incoming E-Mail - cant create contact in OU ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ... (microsoft.public.sharepoint.windowsservices)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2008-02