SA access count

admin_2 · ‎04-27-2001

Is there a way to find who is using the SA? We have been running into access denied due to too many sessions and would like to find out who is logged in the SA.<br><br>schois

Report Inappropriate Content · ‎04-27-2001

That’s actually a good question… I would have thought IIS would have a snappy way to simply kick this information out with a script, but so far as I can tell that’s not the case. Lots of ways to get the current connectivity counts, bytes transferred, sent etc… but no easy way to list the IP addresses of the currently connected sessions (at least as far as I could find). If you’re interested in the count thing, here’s a link to follow with info on how to configure PerfMon to kick out that info:

http://support.microsoft.com/support/kb/articles/Q143/1/94.asp

You can also look in the logs generated under System32\LogFiles\W3SVC1 directory. It’s kinda big since you’ll see entries every time the user hits a page or loads a control etc… this is also handy for seeing who was in what pages when (the Administrative Access report pulls from here among other places but doesn’t give the level of detail you’ll find in the raw log, of course).

The only way I could find digging around and talking to some folks was to use the NetStat application. Playing around with this on my test servers showed that I could get a pretty good list of the folks currently connected and those who had been connected recently, but it’s not totally clean. At the command line on my Unity server, entering the command:

netstat –p TCP –n

produces an output that looks like this:

Proto Local Address Foreign Address State
TCP 10.10.1.1:389 10.10.1.1:1058 TIME_WAIT
TCP 10.10.1.1:389 10.10.1.1:1059 TIME_WAIT
TCP 10.10.1.1:389 10.10.1.1:1062 ESTABLISHED
TCP 10.10.1.1:389 10.10.1.1:1074 ESTABLISHED
TCP 10.10.1.1:1024 10.10.1.1:1147 ESTABLISHED
TCP 10.10.1.1:1024 10.10.1.1:1168 ESTABLISHED
TCP 10.10.1.1:1026 10.10.1.1:1112 ESTABLISHED

It’s actually much larger since it’s also a DNS server, email server etc… and several clients were attached, but you get the idea. A member server dump is much cleaner. If you drop the “-n” it kicks out server names and domains etc… instead of IDs and instead of looking for port 80, look for “http” in the local address. Anyway, with one client connected to the SA, the dump includes these lines for port 80:

Proto Local Address Foreign Address State
TCP 10.10.1.1:80 10.10.1.2:1172 TIME_WAIT
TCP 10.10.1.1:80 10.10.1.2:1173 ESTABLISHED
TCP 10.10.1.1:80 10.10.1.2:1174 TIME_WAIT
TCP 10.10.1.1:80 10.10.1.2:1175 ESTABLISHED

Yes, there’s actually 4 entries for 1 connection. I’m not real clear on exactly what all 4 mean but you have an inbound and an outbound port working here. If that user terminates their session (with or without logging out) both the ‘TIME_WAIT’ sessions will be left and the two “ESTABLISHED” states will drop off… The two “TIME_WAIT” lines will drop off after a period of time (not a full session timeout of 15 minutes, I’m not sure where this time comes from, it’s only a few minutes on my boxes). The problem is, it’ll look exactly the same if you log out properly or if you don’t, yet the SA sessions will stay at 1 if you don’t log out and it’ll go to 0 if you do. I couldn’t find any way of distinguishing which users were responsible for “burning” a session and which were not other than looking in the logs mentioned above which is a bit tedious. Perhaps some helpful web jockey out here has some insight into this one…

That said, I could get a reasonably good idea of who was currently attached and who was recently attached to the web server on Unity which I think is what you’re looking for. I’ll keep hunting around for a snappier “active session dump” type utility since it seems to me this would be pretty handy to have around.

Hope that helps.

Jeff Lindborg
Unity Product Architect/Answer Monkey
Cisco Systems
lindborg@cisco.com
http://www.AnswerMonkey.net (new page for Unity support tools and scripts)