http://blogs.runatserver.com/dsevigny/default.aspxMy Girl Friend, My Twins and....ASP.NET / AJAXenCommunityServer 2007.1 (Build: 20917.1142)http://blogs.runatserver.com/dsevigny/archive/2008/01/04/token-cache-with-asp-net-and-basic-authentication.aspxFri, 04 Jan 2008 20:05:00 GMTea6c9293-c621-4a68-aeb8-5da5e5cb41f8:331Dominic Sévigny 0If you develop an ASP.NET application that use Basic Authentication , take care to be sure to change the registry on your staging IIS server. What? Yes, If your application use role based security to securing your pages, adding a new security group to...(<a href="http://blogs.runatserver.com/dsevigny/archive/2008/01/04/token-cache-with-asp-net-and-basic-authentication.aspx">read more</a>)<img src="http://blogs.runatserver.com/aggbug.aspx?PostID=331" width="1" height="1">ASP.NETDevelopmentActive DirectoryIIShttp://blogs.runatserver.com/dsevigny/archive/2007/10/27/my-codecamp-montreal-2007-presentation.aspxSat, 27 Oct 2007 18:56:00 GMTea6c9293-c621-4a68-aeb8-5da5e5cb41f8:60dsevigny9<p>Today, I gave a&nbsp;presentation at CodeCamp Montreal on ASP.NET/AJAX and Visual Studio 2008. Thanks to all attendees. You can download&nbsp;below my code and my powerpoint presentation.</p> <p>&nbsp;Thanks<br />Dominic</p><img src="http://blogs.runatserver.com/aggbug.aspx?PostID=60" width="1" height="1">ASP.NETSpeakingAjaxVisual Studio.NEThttp://blogs.runatserver.com/dsevigny/archive/2007/10/16/Token-Cache-with-ASP.NET-and-Basic-Authentication.aspxTue, 16 Oct 2007 20:22:00 GMTea6c9293-c621-4a68-aeb8-5da5e5cb41f8:25dsevigny56<p>If you develop an <strong>ASP.NET</strong> application that use <strong>Basic Authentication</strong>, take care to be sure to&nbsp;change the registry on your&nbsp;staging <strong>IIS</strong> server. What?&nbsp;Yes, If your application use role based security&nbsp;to&nbsp;securing your&nbsp;pages,&nbsp;adding a new security group to a Windows domain user don&#39;t automaticaly give access to theses pages.<br /><br />Why? Because&nbsp;when you use <strong>Basic authentication</strong>, user tokens are cached in the token cache. By default, tokens remain in the cache for 15 minutes. If you log on using <strong>Basic authentication</strong> with an account that has a high level of user logon rights, a successful attacker could use the account to gain access to the resources on your computer.</p> <p>The Microsoft article : <a href="http://wwwbeta.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true">http://wwwbeta.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true</a></p> <p>For&nbsp;a production&nbsp;environment,&nbsp;15 minutes is&nbsp;correct but when you are&nbsp;on&nbsp;the staging&nbsp;environment it&#39;s very frustrating to wait 15 minutes between each security test. You can change the TTL by modifying a key in the registry.</p> <p>How to&nbsp;change the registry key (Search for <strong>UserTokenTTL</strong> at the bottom of the page)&nbsp;: <a href="http://wwwbeta.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true">http://wwwbeta.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true</a></p> <p>Thanks<br />Dominic&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p><img src="http://blogs.runatserver.com/aggbug.aspx?PostID=25" width="1" height="1">ASP.NETDevelopmentTips and TricksActive DirectoryIIS