Does SDL Tridion CMS authenticate user’s credentials every time a user does an activity on the CME?

Question

It’s a plain vanilla SDL Tridion install where users are added in the CMS CME.

1. If user successfully log-in to the SDL Tridion CME (No LDAP-AD sync is used means MMC console has no LDAP-AD stuff).

2. Now user goes on doing his/her business edit/create of content page or navigation stuff around in CME.

3. Does Tridion authenticate every time user does such activity? Is this authentication done against the LDAP-AD or some sort of cache (if there is one?)

4. Long long time back someone from advised me there is a config in Tridion where you can turn it On or OFF to authenticate for each/every activity user does after successful login.... (am not able to recall the clarity of the conversation).

Answer 1

I believe IIS will indeed re-authenticate every request.

If you use something like Fiddler (which I strongly recommend) you will see that every request to a URL comes back first as an HTTP 401, then is sent back to the server with the correct credentials.

So, yes, every request must be authenticated. If you disable a user account while that user is working in Tridion, he will start getting "access denied" errors half way through their session.