Managing Security (Windows Server AppFabric Caching)

This section describes common tasks for managing security for a cache cluster. For additional information about cache cluster security, see Security Model.

Security Options for the Cache Cluster

By default, data sent between cache clients and the cache cluster is encrypted and signed. The Set-CacheClusterSecurity Windows PowerShell command lets you change the security settings for the cache cluster. The following table describes the two parameters for Set-CacheClusterSecurity: SecurityMode and ProtectionLevel.


Parameter Values Description


None, Transport

A setting of Transport enables security, whereas a setting a None disables security.


None, Sign, EncryptAndSign

Specifies the type of security applied to cache cluster data.

The following command demonstrates how to turn off security on the cache cluster. The cache cluster must be stopped to successfully change the security settings.

Set-CacheClusterSecurity -SecurityMode None -ProtectionLevel None

Applications that use the cache cluster can also configure their cache client security requirements. Before changing the default security settings, make sure that the security requirements of the client applications are compatible with the new cache cluster security settings. For more information, see Security Model.

Granting and Revoking Windows Accounts

When the security mode is set to Transport, any clients of the cache cluster must be specifically added to the allowed client account list. The Grant-CacheAllowedClientAccount Windows PowerShell command grants Windows accounts access to the cache cluster. The following example adds a domain account, DOMAINNAME\username to the list of allowed accounts.

Grant-CacheAllowedClientAccount -Account "DOMAINNAME\username"

Note that if the client application is running as a built-in machine account, such as "NT Authority\Network Service", you can grant the machine access to the cache cluster. To do this, use the machine account, which is the domain name and machine name with an appended dollar sign. The following example grants cache cluster access to a machine named Server1 in a domain named DOMAIN1.

Grant-CacheAllowedClientAccount -Account "DOMAIN1\Server1$"

For ASP.NET web applications that use AppFabric caching, you must grant access to the identity that the application pool uses. In many cases, this is a built-in machine account, and you can grant access to the machine count as shown in the previous example. However, if you have a test machine that is both the web server and the cache cluster, you need to grant access directly to the built-in machine account. The following example grants cache cluster access to the "NT Authority\Network Service" account directly.

Grant-CacheAllowedClientAccount -Account "NT Authority\Network Service"

To list the accounts that have been allowed, use the Get-CacheAllowedClientAccounts command.


To revoke cache cluster access to an account, use the Revoke-CacheAllowedClientAccount command.

Revoke-CacheAllowedClientAccount -Account "DOMAINNAME\username"

See Also

Community Additions