Cache an IIS security token in Windows 2000 Server
Jim Boyce
Published: 26 Jun 2006 11:05 BST
Security in Windows 2000 Server is based on tokens. When you log on, the operating system creates a token for you that contains all the security identifiers (SIDs) for the groups you belong to and your privileges. Whenever you try to access a resource, the operating system checks your token and the ACL on the resource to determine if you're allowed to access that resource.
By default, Internet Information Services (IIS) caches the token and waits 15 minutes before updating. This delay can cause a problem in some situations, such as after changing passwords. You have two options for eliminating this wait: One, stop and start all IIS services. Or two, change the default update interval, which you can do through a registry edit.
To change IIS's default update interval, first open the Registry Editor (Regedt32.exe) and go to registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters
Then,
- On the Edit menu, click Add Value, type "UserTokenTTL" in the Value Name text box, and select REG_DWORD as the Data Type. In the Data box, type the number of seconds for the token to be cached. (For Windows 2000 IIS5 the minimum is 1 second.) Close the Registry Editor and then stop and restart all IIS services.
For performance reasons, be careful not to set the UserTokenTTL value too low. If you make updates infrequently, use the stop-restart method mentioned in paragraph two, above.
Note: Editing the registry can be risky, so be sure you have a verified backup before making any changes.
Did you find this article useful?
80 out of 134 people found this useful
- Share this article:
