Tech Line
Access Token Commotion
What's really in that access token?
Chris: I have a general idea of what the access token does,
but really don't know exactly what's in it. Can you give me more details?
--James
James, you're not alone in having a basic understanding of access tokens.
Many administrators see access tokens as the reason why users have to
log off and then log back on after their group membership has changed.
Beyond that, most administrators that I have run into understand that
the access token contains a user's group memberships and thus allows the
user to traverse domain resources with a single login. This is because
the access token contains the Security ID (SID) or the user object and
the SID of every group in which the user is a member.
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
cap.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
After logon, every process and thread that executes using the user's
privileges will contain the access token. This allows the process to access
network resources on the user's behalf without having to supply the user's
credentials. Since the access token is created at the time a user logs
on, the only way to refresh it is to log off and then log back on again.
There are several very well written articles produced by Microsoft that
offer the detail that you are looking for.
One of the very best articles written on Access Tokens is "Addressing
Problems Due to Access Token Limitation." While lengthy (43 pages),
it is far and away the most thorough online Access Token reference. This
will probably answer all of your access token questions, and then some.
If you're up for a lighter read on Access Tokens, try the "Access
Token Technical Reference." This is just a few pages in length,
but provides a very concise overview of how Access Tokens operate.
If you're looking for a great tool for troubleshooting Access Tokens
and privilege use, give Tokenmon
a try. This free tool from Sysinternals.com is excellent at revealing
how (under which credentials) users or processes are attempting to connect
to a server. While the tool's output is pretty extensive, the output can
be filtered so as to narrow down what you are looking for.
On Windows 2003 servers, another excellent tool for troubleshooting Access
Tokens is the command-line tool whoami. If you run whoami
/all, you will see the contents of your current access token, complete
with SID associations.
Between the online references and these troubleshooting tools, hopefully
you will have plenty of ammunition to take on access tokens.
On another note, I would like to hear from all of you on your favorite
free troubleshooting tools. I will provide information on all of the tools
I receive in a future column. The reader that sends me the most quality
tool resources will get a signed copy of my book Troubleshooting
Microsoft Technologies.