|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Application Pool timouts.I posted before suggesting that i had a kerberos timout issue but this was incorrect. I have found that there is a global application pool setting of 30 minutes timeout and a default application pool setting of 20 minutes. This is partially where my problem is. It only happens when using kerberos authentication. When a user has been idle for more than 20 minutes their session is timed out and thus closed. However, internet explorer on their desktop is still open and un aware that their session is timed out. When the user now tries to get access to anything on the website i would expect IIS to request IE to reauthenticate but it does not. Instead it allows the user to connect anonymously. Anonymous logon has been removed from the website properties and NTFS security on the web folders is locked down to prevent anonymous logon. Also, restarting IIS kills all their sessions and thus experiences the same issues. My current work around is to open up both timeouts to be 8 hours. This means that a user session should never time out within their work shift. Anybody have any ideas on this? Thanks, JMCD "JMCD" <J***@discussions.microsoft.com> wrote in message What session are you talking about here? A "kerberos session" or some news:8F9E1EAB-EDBA-4315-A3EA-1011E75A9B5B@microsoft.com... : Hi, : : I posted before suggesting that i had a kerberos timout issue but this was : incorrect. : I have found that there is a global application pool setting of 30 minutes : timeout and a default application pool setting of 20 minutes. This is : partially where my problem is. : It only happens when using kerberos authentication. : When a user has been idle for more than 20 minutes their session is timed : out and thus closed. However, internet explorer on their desktop is still : open and un aware that their session is timed out. application level session? : When the user now tries to get access to anything on the website i would IE will continue sending whatever credentials it sent last time. It doesn't : expect IIS to request IE to reauthenticate but it does not. Instead it allows : the user to connect anonymously. connect "anonymously" if it connected using Kerberos previously. Can you post the relevant logfile entries from the IIS logfile please? : Anonymous logon has been removed from the website properties and NTFS So, IIS can't be allowing anonymous logon then?: security on the web folders is locked down to prevent anonymous logon. : Also, restarting IIS kills all their sessions and thus experiences the Well, my initial thoughts are that this is very confusing to read for same : issues. : : My current work around is to open up both timeouts to be 8 hours. This means : that a user session should never time out within their work shift. : : Anybody have any ideas on this? someone who's not on site. For Kerberos authentication to IIS, IE sends a service ticket. For each subsequent request, IE will continue sending that same ticket until either IE is closed, or the server says that the ticket is not valid (in which case the user is prompted to enter alternate credentials). So, what I'm confused about is: a) what the 20 minute application pool session timeout has to do with Kerberos (I'm assuming you're talking about ASP/ASP.NET sessions or something) b) why you think IE is attempting an anonymous logon (please provide some evidence of this please) c) why IIS would be allowing an anonymous logon given that you've explicitly configured this not to be allowed. Cheers Ken Thanks for the reply.
FYI. It is using kerberos to authenticate the user and it is connecting successfully. I have used the kerb tray utility to confirm this. Also, there are back end systems/shares that are setup as virtual directories. Those servers show security events confirming kerberos connections for the user but coming from the intranet server. This is as expected and there are no anonymous connections being made at this time. Everything works fine at this point. In answer to your questions - a) From what i understand, the application pool timeout is the timeout for an idle session which is created by a browser. When the default application pool is set to 20 minutes, if the users browser is idle for 20 minutes or longer the problems occur. When i pump this value up to 8 hours the users do not appear to have a problem unless they leave Internet Explorer idle for 8 hours. b) After the 20 minutes is up, I have confirmed that when the user tries to access a back end system via the Intranet, security event logs on the back end servers say that an anonymous user is trying to connect from the intranet server. Since the anonymous user does not have access to the directory they get errors. Thought there is no access denied messages in the event logs. Clicking refresh for Internet Explorer does not fix the problem. Browsing to another site and then browsing back to the intranet does fix the problem. Closing Internet explorer and opening it again also fixes the problem. Note that the problem also occurs if i restart IIS while the user has the browser open. c) I don't know how anonymous logon could be allowed when i have only allowed Integrated Authenitaction and defined NTFS security which doesn't allow anonymous access. The weird thing is, when the user is experiencing the problem the IIS logs correctly list the user as being the one who requested the info and not anonymous user. They can also browse to other pages on the intranet without a problem. I do not experience this problem when the site uses NTLM and prompts the user to supply login credentials. When using NTLM, the session timeout setting does not seem to effect the users. Show quoteHide quote "Ken Schaefer" wrote: > > "JMCD" <J***@discussions.microsoft.com> wrote in message > news:8F9E1EAB-EDBA-4315-A3EA-1011E75A9B5B@microsoft.com... > : Hi, > : > : I posted before suggesting that i had a kerberos timout issue but this was > : incorrect. > : I have found that there is a global application pool setting of 30 minutes > : timeout and a default application pool setting of 20 minutes. This is > : partially where my problem is. > : It only happens when using kerberos authentication. > : When a user has been idle for more than 20 minutes their session is timed > : out and thus closed. However, internet explorer on their desktop is still > : open and un aware that their session is timed out. > > What session are you talking about here? A "kerberos session" or some > application level session? > > : When the user now tries to get access to anything on the website i would > : expect IIS to request IE to reauthenticate but it does not. Instead it > allows > : the user to connect anonymously. > > IE will continue sending whatever credentials it sent last time. It doesn't > connect "anonymously" if it connected using Kerberos previously. > > Can you post the relevant logfile entries from the IIS logfile please? > > > : Anonymous logon has been removed from the website properties and NTFS > : security on the web folders is locked down to prevent anonymous logon. > > So, IIS can't be allowing anonymous logon then? > > > : Also, restarting IIS kills all their sessions and thus experiences the > same > : issues. > : > : My current work around is to open up both timeouts to be 8 hours. This > means > : that a user session should never time out within their work shift. > : > : Anybody have any ideas on this? > > Well, my initial thoughts are that this is very confusing to read for > someone who's not on site. > > For Kerberos authentication to IIS, IE sends a service ticket. For each > subsequent request, IE will continue sending that same ticket until either > IE is closed, or the server says that the ticket is not valid (in which case > the user is prompted to enter alternate credentials). > > So, what I'm confused about is: > a) what the 20 minute application pool session timeout has to do with > Kerberos (I'm assuming you're talking about ASP/ASP.NET sessions or > something) > > b) why you think IE is attempting an anonymous logon (please provide some > evidence of this please) > > c) why IIS would be allowing an anonymous logon given that you've explicitly > configured this not to be allowed. > > Cheers > Ken > > > In response to your points below:
: a) From what i understand, the application pool timeout is the timeout for I still don't understand what timeout you are talking about exactly. I : an idle session which is created by a browser. : When the default application pool is set to 20 minutes, if the users browser : is idle for 20 minutes or longer the problems occur. : When i pump this value up to 8 hours the users do not appear to have a : problem unless they leave Internet Explorer idle for 8 hours. *assume* you are talking about the "idle timeout" located at: web app pool properties -> performance tab -> Idle Timeout -> "shutdown work preocesses after being idle for (time in minutes)" This is called "Idle Timeout" not "Application Pool Timeout". Is this what you are talking about? Or something else? If so, this causes the Web Application Pool's w3wp.exe process to be shutdown by IIS when no requests are made to any websites in that pool by *any* browser within a 20 minute period. : c) I don't know how anonymous logon could be allowed when i have only So, from your logfiles it is clear that the browser is still sending the : allowed Integrated Authenitaction and defined NTFS security which doesn't : allow anonymous access. The weird thing is, when the user is experiencing the : problem the IIS logs correctly list the user as being the one who requested : the info and not anonymous user. credentials, and IIS is logging on the appropriate user. So this is nothing to do with the client per se. Can you post the corresponding logfile entries (per my request in the previous email), and security related logfile entries? Can you verify that the server is getting a service ticket on behalf of the end user for the remote backend services? Cheers Ken Show quoteHide quote "JMCD" <J***@discussions.microsoft.com> wrote in message news:EA45766A-56B4-48C1-B330-9F064F54FECE@microsoft.com... : Thanks for the reply. : : FYI. It is using kerberos to authenticate the user and it is connecting : successfully. I have used the kerb tray utility to confirm this. Also, there : are back end systems/shares that are setup as virtual directories. Those : servers show security events confirming kerberos connections for the user but : coming from the intranet server. This is as expected and there are no : anonymous connections being made at this time. Everything works fine at this : point. : : In answer to your questions - : : a) From what i understand, the application pool timeout is the timeout for : an idle session which is created by a browser. : When the default application pool is set to 20 minutes, if the users browser : is idle for 20 minutes or longer the problems occur. : When i pump this value up to 8 hours the users do not appear to have a : problem unless they leave Internet Explorer idle for 8 hours. : : b) After the 20 minutes is up, I have confirmed that when the user tries to : access a back end system via the Intranet, security event logs on the back : end servers say that an anonymous user is trying to connect from the intranet : server. Since the anonymous user does not have access to the directory they : get errors. Thought there is no access denied messages in the event logs. : Clicking refresh for Internet Explorer does not fix the problem. : Browsing to another site and then browsing back to the intranet does fix the : problem. : Closing Internet explorer and opening it again also fixes the problem. : Note that the problem also occurs if i restart IIS while the user has the : browser open. : : c) I don't know how anonymous logon could be allowed when i have only : allowed Integrated Authenitaction and defined NTFS security which doesn't : allow anonymous access. The weird thing is, when the user is experiencing the : problem the IIS logs correctly list the user as being the one who requested : the info and not anonymous user. : They can also browse to other pages on the intranet without a problem. : I do not experience this problem when the site uses NTLM and prompts the : user to supply login credentials. When using NTLM, the session timeout : setting does not seem to effect the users. : : "Ken Schaefer" wrote: : : > : > "JMCD" <J***@discussions.microsoft.com> wrote in message : > news:8F9E1EAB-EDBA-4315-A3EA-1011E75A9B5B@microsoft.com... : > : Hi, : > : : > : I posted before suggesting that i had a kerberos timout issue but this was : > : incorrect. : > : I have found that there is a global application pool setting of 30 minutes : > : timeout and a default application pool setting of 20 minutes. This is : > : partially where my problem is. : > : It only happens when using kerberos authentication. : > : When a user has been idle for more than 20 minutes their session is timed : > : out and thus closed. However, internet explorer on their desktop is still : > : open and un aware that their session is timed out. : > : > What session are you talking about here? A "kerberos session" or some : > application level session? : > : > : When the user now tries to get access to anything on the website i would : > : expect IIS to request IE to reauthenticate but it does not. Instead it : > allows : > : the user to connect anonymously. : > : > IE will continue sending whatever credentials it sent last time. It doesn't : > connect "anonymously" if it connected using Kerberos previously. : > : > Can you post the relevant logfile entries from the IIS logfile please? : > : > : > : Anonymous logon has been removed from the website properties and NTFS : > : security on the web folders is locked down to prevent anonymous logon. : > : > So, IIS can't be allowing anonymous logon then? : > : > : > : Also, restarting IIS kills all their sessions and thus experiences the : > same : > : issues. : > : : > : My current work around is to open up both timeouts to be 8 hours. This : > means : > : that a user session should never time out within their work shift. : > : : > : Anybody have any ideas on this? : > : > Well, my initial thoughts are that this is very confusing to read for : > someone who's not on site. : > : > For Kerberos authentication to IIS, IE sends a service ticket. For each : > subsequent request, IE will continue sending that same ticket until either : > IE is closed, or the server says that the ticket is not valid (in which case : > the user is prompted to enter alternate credentials). : > : > So, what I'm confused about is: : > a) what the 20 minute application pool session timeout has to do with : > Kerberos (I'm assuming you're talking about ASP/ASP.NET sessions or : > something) : > : > b) why you think IE is attempting an anonymous logon (please provide some : > evidence of this please) : > : > c) why IIS would be allowing an anonymous logon given that you've explicitly : > configured this not to be allowed. : > : > Cheers : > Ken : > : > : > 
Other interesting topics
Install SSL on Default Website Affects Other websites???
Remember My Password checkbox IIS6 on Win 2003 server ISAPI loadLibrary security problem IIS suddenly wants login? no client-answer on challenge-msg (type2) About SSL security and IIS 6.0 The call to Server.CreateObject failed while checking permissions. Strange login issue SSL Performance problems when migrating to IIS6 IIS 5.0 Security |
|||||||||||||||||||||||
