IIS 7 and Above
Strange behaviour "basic authentication"
Last post May 04, 2008 02:14 PM by louis02
Apr 29, 2008 04:06 PM|louis02|LINK
I use "basic authentication" and found that user information is somehow cached by IIS7.
If I change the user's password, disable it or even delete the user account I can still log in with that account.
After having changed the password, it was even possible to use both, old and new passwords.
I've searched the internet for a solution but couldn't find it.
Until I found on Technet (http://technet2.microsoft.com/windowsserver2008/en/library/dbaadb7c-433d-4c88-ab7f-1575258131dc1033.mspx) that
the TokenCacheModule was a part of the Basic Authentication.
Unfortunately I couldn't find anything about the TokenCacheModule, but on this forum I accidently discovered how to uninstall it.
Since I couldn't find this module in the IIS7 management I used "C:\Windows\System32\inetsrv\appcmd.exe uninstall module TokenCacheModule " to uninstall this module. Now the problem is gone.
But I really would like to uninstall or even configure this module the normal way.
Can someone please tell me what the TokenCacheModule exactly does. Is it harmfull if I just uninstall this module?
Apr 30, 2008 12:05 AM|thomad|LINK
When you logon with Basic Authentication IIS caches the logon information (token) of a user in the IIS token cache. This is necessary because entering a single Url in the browser might generate hundreds of requests. Just look at some of your pages and count
all the images and other HREFs you have in there. Each one is its own request. If IIS wouldn't cache the token it would have to call LogonUser for each one of these requests. This could result in going to the Domain Controller (which is probably on another
machine) for each one of these request and this gets incredibly expensive and your web-site would get awfully slow.
These tokens are cached for 15 minutes by default. The timeout is completely configurable though. Have a look at the following article:
The simplest way to purge the token cache is to recycle the Application Pool however or to call the FlushTokenCache API (search for FlushTokenCache).
Hope this helps.
May 04, 2008 02:14 PM|louis02|LINK
Thanks Thomad for your quick reply.
At this moment we run Windows Server 2003 WebEdition with IIS6.
The entry for the token cache isn't in my registry. That's probably why the token isn't cached in Server 2003. Maybe it was changed in Server 2003 RC2?
I still found it strange, because when using Windows Authentication, there is no Token Cache.
Couldn't cause that just as much traffic?
I would use Windows Authentication, but the password isn't cached (or saved) by InternetExplorer.
I understand now the working of the TokenCache and will lower the TimeOut in the registry or I'll just recycle the Application Pool whenever I change the settings of a certain user.
thanks for your time!