Re: HowTo Purge Windows (Server 2003) logon session



On Mar 10, 12:08 am, Peke <p...@xxxxxxxxxxxxx> wrote:
Hi Dave,

I think that klist.exe is for the current logged on user only.

Any other suggestion ?

Peter



"DaveMo" wrote:
On Mar 4, 12:31 am, Peke <p...@xxxxxxxxxxxxx> wrote:
Hi Dave,

Thx for the response.
Your interpretation of the problem is correct.
If I add the application pool account to a group, the changes (implicated
with the security of that group) get only effective after IISRESET.
I'm not sure how this is related to Kerberos Tickets and remote servers.
After IISRESET everything (file access on the same server, access to the
remote DB) works fine. Does cleaning up the Kerberos Ticket cache make the
logon session get purged and recreated ? And are there tools available for
cleaning up the Kerberos Ticket Cache for a specified user ?

Grtz,

Peter

"DaveMo" wrote:
On Feb 26, 10:45 pm, Peke <p...@xxxxxxxxxxxxx> wrote:
Hello Jeffrey,

I think that the KB article is about tokens that are created for users that
are using the website.

The problem I described is about the application pool identity.

The IIS tokens (from the KB article) don't create logon sessions (I don't
see them with the SysInternals tool) like this is the case for the
application pool accounts (which I can see with the SysInternals tool)..

Our problem is that the logon session for an application pool identity is
only purged and newly created (and using the new security info) after an
IISRESET, which means that the whole WebServer is resetting.
We need to be able to do this for a particular application pool identity.

Any suggestions ?

Regards,

Peter

""Jeffrey Tan[MSFT]"" wrote:
Hi Peter,

Thanks for your feedback.

I am not sure but is this what you were looking for?
"Changing the Default Interval for User Tokens in IIS"
http://support.microsoft.com/kb/152526

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default..asp....
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.- Hide quoted text -

- Show quoted text -

Hello Peke,

I assume that when you say, "security of the account" above you are
talking about adding the app pool account to a group.

I'm not exactly sure I have your scenario right, but there is a
possibility that purging the Kerb ticket cache of the service
account's TGT might have the affect you desire. The main reason this
would not work is if the session (token) that needs to be update is
actually on a remote server. For example, if your app connects to a DB
on another server then the access token for your app is created on the
remote server during the first authentication. Any changes that happen
with the service account would not be reflected on the remote logon
session unless the logon session is disposed of an recreated based on
a new authentication. You could flush the Kerb tickets on the remote
box as well, I guess, but that might start to get a little
complicated.

If however, you are authenticating to a DB on the same server, then
you should be able to take advantage of a shortcut in the LSA which
basically means that there is only one logon session for any
particular account on a server. The Kerb TGT refresh operation would
cause the group membership (and privileges) represented in the token
to be updated.

This probably makes no sense at all, but I hope it helps you think of
other ways to solve your problem.

Dave- Hide quoted text -

- Show quoted text -

Hello Peter,

Yes, there are such tools available. Try
http://www.microsoft.com/downloads/details.aspx?familyid=1581E6E7-7E6....

Let us know if it helped solve your problem.

Dave- Hide quoted text -

- Show quoted text -

To see if this really solves the problem, set up a test where you know
the username and password and then do a runas on cmd.exe. Then you can
run klist as the user of interest. I think I might have a superklist
around that will purge tickets from any logon session when run as
localsystem. I'll have to look around and see if I can find it.

Dave
.



Relevant Pages

  • Re: HowTo Purge Windows (Server 2003) logon session
    ... cleaning up the Kerberos Ticket Cache for a specified user? ... Microsoft Online Community Support ... remote server during the first authentication. ... session unless the logon session is disposed of an recreated based on ...
    (microsoft.public.platformsdk.security)
  • Re: HowTo Purge Windows (Server 2003) logon session
    ... If I add the application pool account to a group, ... Microsoft Online Community Support ... remote server during the first authentication. ... session unless the logon session is disposed of an recreated based on ...
    (microsoft.public.platformsdk.security)