The information in this article applies to:
SUMMARY
Microsoft Exchange Server version 5.0 supports a number of native Internet
protocols, including SMTP, POP3, NNTP, and LDAP. Of these protocols, POP3,
NNTP, and LDAP support authentication, in which the user's logon
credentials are validated to determine their access permissions for the
desired mailbox, newsgroup, or directory object. Exchange Server 5.0
supports both the strong Windows NT Challenge/Response authentication,
which never passes the password across the network, as well as Basic (plain-
text password) authentication. Basic authentication can optionally be
combined with SSL network session encryption to protect passwords and
content against sniffer attacks. All logon processes are mapped to a
Windows NT security account, regardless of the authentication protocol
used.
MORE INFORMATION
The credentials cache is controlled by the following registry values:
(Default = 120 minutes)
(Default = 15 minutes)
(Default = 256 buckets; to turn off caching, you should set the size = 0)The age limit specifies the maximum length of time (in minutes) for entries to live in the cache, the Idle limit specifies the amount of idle time after which a credential cache element will be considered too old (and thus discarded). Most users will not be affected by this issue. For some environments this behavior represents a relatively minor risk. If a user discovers that their password has been compromised and changes their password, there is an additional window of time (around 15 minutes if the session is idle) where an attacker could still use the compromised password to access mail or newsgroups via POP3 or NNTP. Most users will not need to implement any changes to their environment. Users who need additional assurances can change the registry parameters indicated above to smaller values that are acceptable in their environment. Setting the credentials cache size to 0 (zero) will cause a new authentication to be performed for every Internet protocol user session. Because of the nature of Internet sessions, which are often short and bursty, the tradeoff for disabling credential caching is a potential reduction in performance. Performance will be affected depending on the number of Internet users on your system, the frequency with which they check mail, and the location and load of your Windows NT Domain Controllers. Setting the cache to zero is not recommended for most environments. This behavior is by product design. For information about how to change the delay before user tokens are updated in Microsoft Internet Information Server, please see the following article in the Microsoft Knowledge Base: Q152526 Changing the Default Interval for User Tokens in IIS
Keywords : kbusage XGEN |
Last Reviewed: April 14, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |