Application Pool timouts.

Hi,

I posted before suggesting that i had a kerberos timout issue but this was
incorrect.
I have found that there is a global application pool setting of 30 minutes
timeout and a default application pool setting of 20 minutes. This is
partially where my problem is.
It only happens when using kerberos authentication.
When a user has been idle for more than 20 minutes their session is timed
out and thus closed. However, internet explorer on their desktop is still
open and un aware that their session is timed out.
When the user now tries to get access to anything on the website i would
expect IIS to request IE to reauthenticate but it does not. Instead it allows
the user to connect anonymously.
Anonymous logon has been removed from the website properties and NTFS
security on the web folders is locked down to prevent anonymous logon.
Also, restarting IIS kills all their sessions and thus experiences the same
issues.

My current work around is to open up both timeouts to be 8 hours. This means
that a user session should never time out within their work shift.

Anybody have any ideas on this?

Thanks,

JMCD

Re: Application Pool timouts.

"JMCD" wrote in message
news:8F9E1EAB-EDBA-4315-A3EA-1011E75A9B5B@microsoft.com...
: Hi,
:
: I posted before suggesting that i had a kerberos timout issue but this was
: incorrect.
: I have found that there is a global application pool setting of 30 minutes
: timeout and a default application pool setting of 20 minutes. This is
: partially where my problem is.
: It only happens when using kerberos authentication.
: When a user has been idle for more than 20 minutes their session is timed
: out and thus closed. However, internet explorer on their desktop is still
: open and un aware that their session is timed out.

What session are you talking about here? A "kerberos session" or some
application level session?

: When the user now tries to get access to anything on the website i would
: expect IIS to request IE to reauthenticate but it does not. Instead it
allows
: the user to connect anonymously.

IE will continue sending whatever credentials it sent last time. It doesn't
connect "anonymously" if it connected using Kerberos previously.

Can you post the relevant logfile entries from the IIS logfile please?


: Anonymous logon has been removed from the website properties and NTFS
: security on the web folders is locked down to prevent anonymous logon.

So, IIS can't be allowing anonymous logon then?


: Also, restarting IIS kills all their sessions and thus experiences the
same
: issues.
:
: My current work around is to open up both timeouts to be 8 hours. This
means
: that a user session should never time out within their work shift.
:
: Anybody have any ideas on this?

Well, my initial thoughts are that this is very confusing to read for
someone who's not on site.

For Kerberos authentication to IIS, IE sends a service ticket. For each
subsequent request, IE will continue sending that same ticket until either
IE is closed, or the server says that the ticket is not valid (in which case
the user is prompted to enter alternate credentials).

So, what I'm confused about is:
a) what the 20 minute application pool session timeout has to do with
Kerberos (I'm assuming you're talking about ASP/ASP.NET sessions or
something)

b) why you think IE is attempting an anonymous logon (please provide some
evidence of this please)

c) why IIS would be allowing an anonymous logon given that you've explicitly
configured this not to be allowed.

Cheers
Ken

Re: Application Pool timouts.

Thanks for the reply.

FYI. It is using kerberos to authenticate the user and it is connecting
successfully. I have used the kerb tray utility to confirm this. Also, there
are back end systems/shares that are setup as virtual directories. Those
servers show security events confirming kerberos connections for the user but
coming from the intranet server. This is as expected and there are no
anonymous connections being made at this time. Everything works fine at this
point.

In answer to your questions -

a) From what i understand, the application pool timeout is the timeout for
an idle session which is created by a browser.
When the default application pool is set to 20 minutes, if the users browser
is idle for 20 minutes or longer the problems occur.
When i pump this value up to 8 hours the users do not appear to have a
problem unless they leave Internet Explorer idle for 8 hours.

b) After the 20 minutes is up, I have confirmed that when the user tries to
access a back end system via the Intranet, security event logs on the back
end servers say that an anonymous user is trying to connect from the intranet
server. Since the anonymous user does not have access to the directory they
get errors. Thought there is no access denied messages in the event logs.
Clicking refresh for Internet Explorer does not fix the problem.
Browsing to another site and then browsing back to the intranet does fix the
problem.
Closing Internet explorer and opening it again also fixes the problem.
Note that the problem also occurs if i restart IIS while the user has the
browser open.

c) I don't know how anonymous logon could be allowed when i have only
allowed Integrated Authenitaction and defined NTFS security which doesn't
allow anonymous access. The weird thing is, when the user is experiencing the
problem the IIS logs correctly list the user as being the one who requested
the info and not anonymous user.
They can also browse to other pages on the intranet without a problem.
I do not experience this problem when the site uses NTLM and prompts the
user to supply login credentials. When using NTLM, the session timeout
setting does not seem to effect the users.

"Ken Schaefer" wrote:

>
> "JMCD" wrote in message
> news:8F9E1EAB-EDBA-4315-A3EA-1011E75A9B5B@microsoft.com...
> : Hi,
> :
> : I posted before suggesting that i had a kerberos timout issue but this was
> : incorrect.
> : I have found that there is a global application pool setting of 30 minutes
> : timeout and a default application pool setting of 20 minutes. This is
> : partially where my problem is.
> : It only happens when using kerberos authentication.
> : When a user has been idle for more than 20 minutes their session is timed
> : out and thus closed. However, internet explorer on their desktop is still
> : open and un aware that their session is timed out.
>
> What session are you talking about here? A "kerberos session" or some
> application level session?
>
> : When the user now tries to get access to anything on the website i would
> : expect IIS to request IE to reauthenticate but it does not. Instead it
> allows
> : the user to connect anonymously.
>
> IE will continue sending whatever credentials it sent last time. It doesn't
> connect "anonymously" if it connected using Kerberos previously.
>
> Can you post the relevant logfile entries from the IIS logfile please?
>
>
> : Anonymous logon has been removed from the website properties and NTFS
> : security on the web folders is locked down to prevent anonymous logon.
>
> So, IIS can't be allowing anonymous logon then?
>
>
> : Also, restarting IIS kills all their sessions and thus experiences the
> same
> : issues.
> :
> : My current work around is to open up both timeouts to be 8 hours. This
> means
> : that a user session should never time out within their work shift.
> :
> : Anybody have any ideas on this?
>
> Well, my initial thoughts are that this is very confusing to read for
> someone who's not on site.
>
> For Kerberos authentication to IIS, IE sends a service ticket. For each
> subsequent request, IE will continue sending that same ticket until either
> IE is closed, or the server says that the ticket is not valid (in which case
> the user is prompted to enter alternate credentials).
>
> So, what I'm confused about is:
> a) what the 20 minute application pool session timeout has to do with
> Kerberos (I'm assuming you're talking about ASP/ASP.NET sessions or
> something)
>
> b) why you think IE is attempting an anonymous logon (please provide some
> evidence of this please)
>
> c) why IIS would be allowing an anonymous logon given that you've explicitly
> configured this not to be allowed.
>
> Cheers
> Ken
>
>
>

Re: Application Pool timouts.

In response to your points below:

: a) From what i understand, the application pool timeout is the timeout for
: an idle session which is created by a browser.
: When the default application pool is set to 20 minutes, if the users
browser
: is idle for 20 minutes or longer the problems occur.
: When i pump this value up to 8 hours the users do not appear to have a
: problem unless they leave Internet Explorer idle for 8 hours.

I still don't understand what timeout you are talking about exactly. I
*assume* you are talking about the "idle timeout" located at: web app pool
properties -> performance tab -> Idle Timeout -> "shutdown work preocesses
after being idle for (time in minutes)"

This is called "Idle Timeout" not "Application Pool Timeout". Is this what
you are talking about? Or something else? If so, this causes the Web
Application Pool's w3wp.exe process to be shutdown by IIS when no requests
are made to any websites in that pool by *any* browser within a 20 minute
period.


: c) I don't know how anonymous logon could be allowed when i have only
: allowed Integrated Authenitaction and defined NTFS security which doesn't
: allow anonymous access. The weird thing is, when the user is experiencing
the
: problem the IIS logs correctly list the user as being the one who
requested
: the info and not anonymous user.

So, from your logfiles it is clear that the browser is still sending the
credentials, and IIS is logging on the appropriate user. So this is nothing
to do with the client per se.

Can you post the corresponding logfile entries (per my request in the
previous email), and security related logfile entries?

Can you verify that the server is getting a service ticket on behalf of the
end user for the remote backend services?

Cheers
Ken


"JMCD" wrote in message
news:EA45766A-56B4-48C1-B330-9F064F54FECE@microsoft.com...
: Thanks for the reply.
:
: FYI. It is using kerberos to authenticate the user and it is connecting
: successfully. I have used the kerb tray utility to confirm this. Also,
there
: are back end systems/shares that are setup as virtual directories. Those
: servers show security events confirming kerberos connections for the user
but
: coming from the intranet server. This is as expected and there are no
: anonymous connections being made at this time. Everything works fine at
this
: point.
:
: In answer to your questions -
:
: a) From what i understand, the application pool timeout is the timeout for
: an idle session which is created by a browser.
: When the default application pool is set to 20 minutes, if the users
browser
: is idle for 20 minutes or longer the problems occur.
: When i pump this value up to 8 hours the users do not appear to have a
: problem unless they leave Internet Explorer idle for 8 hours.
:
: b) After the 20 minutes is up, I have confirmed that when the user tries
to
: access a back end system via the Intranet, security event logs on the back
: end servers say that an anonymous user is trying to connect from the
intranet
: server. Since the anonymous user does not have access to the directory
they
: get errors. Thought there is no access denied messages in the event logs.
: Clicking refresh for Internet Explorer does not fix the problem.
: Browsing to another site and then browsing back to the intranet does fix
the
: problem.
: Closing Internet explorer and opening it again also fixes the problem.
: Note that the problem also occurs if i restart IIS while the user has the
: browser open.
:
: c) I don't know how anonymous logon could be allowed when i have only
: allowed Integrated Authenitaction and defined NTFS security which doesn't
: allow anonymous access. The weird thing is, when the user is experiencing
the
: problem the IIS logs correctly list the user as being the one who
requested
: the info and not anonymous user.
: They can also browse to other pages on the intranet without a problem.
: I do not experience this problem when the site uses NTLM and prompts the
: user to supply login credentials. When using NTLM, the session timeout
: setting does not seem to effect the users.
:
: "Ken Schaefer" wrote:
:
: >
: > "JMCD" wrote in message
: > news:8F9E1EAB-EDBA-4315-A3EA-1011E75A9B5B@microsoft.com...
: > : Hi,
: > :
: > : I posted before suggesting that i had a kerberos timout issue but this
was
: > : incorrect.
: > : I have found that there is a global application pool setting of 30
minutes
: > : timeout and a default application pool setting of 20 minutes. This is
: > : partially where my problem is.
: > : It only happens when using kerberos authentication.
: > : When a user has been idle for more than 20 minutes their session is
timed
: > : out and thus closed. However, internet explorer on their desktop is
still
: > : open and un aware that their session is timed out.
: >
: > What session are you talking about here? A "kerberos session" or some
: > application level session?
: >
: > : When the user now tries to get access to anything on the website i
would
: > : expect IIS to request IE to reauthenticate but it does not. Instead it
: > allows
: > : the user to connect anonymously.
: >
: > IE will continue sending whatever credentials it sent last time. It
doesn't
: > connect "anonymously" if it connected using Kerberos previously.
: >
: > Can you post the relevant logfile entries from the IIS logfile please?
: >
: >
: > : Anonymous logon has been removed from the website properties and NTFS
: > : security on the web folders is locked down to prevent anonymous logon.
: >
: > So, IIS can't be allowing anonymous logon then?
: >
: >
: > : Also, restarting IIS kills all their sessions and thus experiences the
: > same
: > : issues.
: > :
: > : My current work around is to open up both timeouts to be 8 hours. This
: > means
: > : that a user session should never time out within their work shift.
: > :
: > : Anybody have any ideas on this?
: >
: > Well, my initial thoughts are that this is very confusing to read for
: > someone who's not on site.
: >
: > For Kerberos authentication to IIS, IE sends a service ticket. For each
: > subsequent request, IE will continue sending that same ticket until
either
: > IE is closed, or the server says that the ticket is not valid (in which
case
: > the user is prompted to enter alternate credentials).
: >
: > So, what I'm confused about is:
: > a) what the 20 minute application pool session timeout has to do with
: > Kerberos (I'm assuming you're talking about ASP/ASP.NET sessions or
: > something)
: >
: > b) why you think IE is attempting an anonymous logon (please provide
some
: > evidence of this please)
: >
: > c) why IIS would be allowing an anonymous logon given that you've
explicitly
: > configured this not to be allowed.
: >
: > Cheers
: > Ken
: >
: >
: >