Token Cache
Applies To: Windows Server 2003, Windows Server 2003 with SP1
When a request is made to the server, the security credentials for the request (or the configured anonymous user) are used to create a user token on the server. The server impersonates this user token when accessing files or other system resources. The token is cached in what is commonly called the token cache, so that the Windows logon only takes place the first time the user accesses the system or after the user's token has been flushed from the cache. If a token does not exist in the cache for an incoming request, IIS must call the Lsass.exe process to get the token. This call is expensive from a performance and scalability standpoint.
Note
Integrated Windows authentication tokens are not cached.
The IIS worker process is responsible for flushing the token cache. The worker process monitors the UserTokenTTL registry entry for change notification (TTL stands for time to live). If the token has expired (the default time to live is 15 minutes) or if the token has changed in any way, IIS flushes the token cache. Currently, there are no performance counters that monitor the token cache.