Re: HowTo Purge Windows (Server 2003) logon session

On Feb 26, 10:45 pm, Peke <p...@xxxxxxxxxxxxx> wrote:
Hello Jeffrey,

I think that the KB article is about tokens that are created for users that
are using the website.

The problem I described is about the application pool identity.

The IIS tokens (from the KB article) don't create logon sessions (I don't
see them with the SysInternals tool) like this is the case for the
application pool accounts (which I can see with the SysInternals tool).

Our problem is that the logon session for an application pool identity is
only purged and newly created (and using the new security info) after an
IISRESET, which means that the whole WebServer is resetting.
We need to be able to do this for a particular application pool identity.

Any suggestions ?

Regards,

Peter



""Jeffrey Tan[MSFT]"" wrote:
Hi Peter,

Thanks for your feedback.

I am not sure but is this what you were looking for?
"Changing the Default Interval for User Tokens in IIS"
http://support.microsoft.com/kb/152526

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.asp...
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.- Hide quoted text -

- Show quoted text -

Hello Peke,

I assume that when you say, "security of the account" above you are
talking about adding the app pool account to a group.

I'm not exactly sure I have your scenario right, but there is a
possibility that purging the Kerb ticket cache of the service
account's TGT might have the affect you desire. The main reason this
would not work is if the session (token) that needs to be update is
actually on a remote server. For example, if your app connects to a DB
on another server then the access token for your app is created on the
remote server during the first authentication. Any changes that happen
with the service account would not be reflected on the remote logon
session unless the logon session is disposed of an recreated based on
a new authentication. You could flush the Kerb tickets on the remote
box as well, I guess, but that might start to get a little
complicated.

If however, you are authenticating to a DB on the same server, then
you should be able to take advantage of a shortcut in the LSA which
basically means that there is only one logon session for any
particular account on a server. The Kerb TGT refresh operation would
cause the group membership (and privileges) represented in the token
to be updated.

This probably makes no sense at all, but I hope it helps you think of
other ways to solve your problem.

Dave
.

Relevant Pages

  • Re: Securing VPN connections with tokens
    ... I'm running it on a member server. ... > questions with regards to our setup of providing support to our customers. ... >> We use the USB tokens. ... >> I have not yet set Cryptocard up for OWA or RWW. ...
    (microsoft.public.windows.server.sbs)
  • Re: HowTo Purge Windows (Server 2003) logon session
    ... If I add the application pool account to a group, ... After IISRESET everything (file access on the same server, ... The IIS tokens don't create logon sessions (I don't ... Our problem is that the logon session for an application pool identity is ...
    (microsoft.public.platformsdk.security)
  • Re: DWORDs vs interface pointers as tokens: marshalling & other Qs
    ... client for later use through the server. ... my server object has one or more tokens, ... Only enough information is transferred to allow creating a proxy on the ...
    (microsoft.public.vc.atl)
  • Re: How do you restrict access to directory below parent dir with anon access?
    ... server, either the same or other one managed by you. ... 3-Access to resources R1 should be allowed only if the visitor first has ... The application holding R1 must manage tokens. ... I don't want the general public to have access to the html site but I ...
    (microsoft.public.inetserver.iis.security)
  • Re: Working around UAC for AccessCheck API, how?
    ... I have a client server solution that uses RPC in order to talk from the ... this is how restricted tokens and UAC ... Use the impersonated user's token and call AccessCheck. ...
    (microsoft.public.win32.programmer.kernel)