"Ard" <A**@discussions.microsoft.com> wrote in message
news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com...
> Folks,
>
> Maybe someone can help me out here.
>
> I'm working on an ASP web application on a w2k server with iis 5.
> The application dynamically creates folders and uses adsi to create local
> windows groups that have access to these folders.
> Because the group 'authenticated users' is member of one of the new
> windows
> groups, the IUSR account should have access to the new folder. But because
> the IUSR user token is cached for 15 mins anonymous users can't
> immediately
> access this folder, but have to wait untill the TimeToLive for the IUSR
> token
> has expired.
>
> Because of the performance penalty i don't want to reduce the UserTokenTTL
> for all users. (The possible solution described in KB152526.)
>
> Is it possible to force the expiration of the IUSR user token? If I can
> expire just this one token immediately after creating the windows groups,
> the
> problem should be solved.
>
> Does anyone know a way to accomplish this?
>
>
>

"David Wang [Msft]" wrote:

> IIS does not expose any programmatic access for users to insert/invalidate
> any of its internal caches, so you will have to find a workaround. I do not
> understand why you ACL the folder to only the new local group -- why don't
> you ACL the folder to also include Authenticated Users or IUSR since the
> effective ACL does not change -- but now you do not get affected by the
> token cache.
>
> And I still think that your design of inserting IUSR into various Windows
> user groups to be weird. It is not clear to me what you are actually gaining
> vs what I had described earlier. Why are you adding IUSR to various user
> groups?
>
> The real issue here is that when a user account's group membership changes,
> there is no way for IIS to get a change notification -- or else the token
> cache would just work. Giving programmatic access for users to
> insert/invalidate the token cache is clearly not the solution; it is just
> one of many possible workarounds.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Ard" <A**@discussions.microsoft.com> wrote in message
> news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com...
> Folks,
>
> Maybe someone can help me out here.
>
> I'm working on an ASP web application on a w2k server with iis 5.
> The application dynamically creates folders and uses adsi to create local
> windows groups that have access to these folders.
> Because the group 'authenticated users' is member of one of the new windows
> groups, the IUSR account should have access to the new folder. But because
> the IUSR user token is cached for 15 mins anonymous users can't immediately
> access this folder, but have to wait untill the TimeToLive for the IUSR
> token
> has expired.
>
> Because of the performance penalty i don't want to reduce the UserTokenTTL
> for all users. (The possible solution described in KB152526.)
>
> Is it possible to force the expiration of the IUSR user token? If I can
> expire just this one token immediately after creating the windows groups,
> the
> problem should be solved.
>
> Does anyone know a way to accomplish this?
>
>
>
>
>
>
>

"David Wang [Msft]" wrote:

> IIS does not expose any programmatic access for users to insert/invalidate
> any of its internal caches, so you will have to find a workaround. I do
not
> understand why you ACL the folder to only the new local group -- why don't
> you ACL the folder to also include Authenticated Users or IUSR since the
> effective ACL does not change -- but now you do not get affected by the
> token cache.
>
> And I still think that your design of inserting IUSR into various Windows
> user groups to be weird. It is not clear to me what you are actually
gaining
> vs what I had described earlier. Why are you adding IUSR to various user
> groups?
>
> The real issue here is that when a user account's group membership
changes,
> there is no way for IIS to get a change notification -- or else the token
> cache would just work. Giving programmatic access for users to
> insert/invalidate the token cache is clearly not the solution; it is just
> one of many possible workarounds.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Ard" <A**@discussions.microsoft.com> wrote in message
> news:F57CE627-8327-4F5D-A7DF-9526173F788A@microsoft.com...
> Folks,
>
> Maybe someone can help me out here.
>
> I'm working on an ASP web application on a w2k server with iis 5.
> The application dynamically creates folders and uses adsi to create local
> windows groups that have access to these folders.
> Because the group 'authenticated users' is member of one of the new
windows
> groups, the IUSR account should have access to the new folder. But because
> the IUSR user token is cached for 15 mins anonymous users can't
immediately
> access this folder, but have to wait untill the TimeToLive for the IUSR
> token
> has expired.
>
> Because of the performance penalty i don't want to reduce the UserTokenTTL
> for all users. (The possible solution described in KB152526.)
>
> Is it possible to force the expiration of the IUSR user token? If I can
> expire just this one token immediately after creating the windows groups,
> the
> problem should be solved.
>
> Does anyone know a way to accomplish this?
>
>
>
>
>
>
>