IIS Returning Old User Names to my application

Dave Markle picture Dave Markle · Oct 3, 2008 · Viewed 21.3k times · Source

Here's my scenario. I created an application which uses Integrated Windows Authentication in order to work. In Application_AuthenticateRequest(), I use HttpContext.Current.User.Identity to get the current WindowsPrincipal of the user of my website.

Now here's the funny part. Some of our users have recently gotten married, and their names change. (i.e. the user's NT Login changes from jsmith to jjones) and when my application authenticates them, IIS passes me their OLD LOGIN . I continue to see jsmith passed to my application until I reboot my SERVER! Logging off the client does not work. Restarting the app pool does not work. Only a full reboot.

Does anyone know what's going on here? Is there some sort of command I can use to flush whatever cache is giving me this problem? Is my server misconfigured?

Note: I definitely do NOT want to restart IIS, my application pools, or the machine. As this is a production box, these are not really viable options.


AviD -

Yes, their UPN was changed along with their login name. And Mark/Nick... This is a production enterprise server... It can't just be rebooted or have IIS restarted.


Follow up (for posterity):

Grhm's answer was spot-on. This problem pops up in low-volume servers where you don't have a lot of people using your applications, but enough requests are made to keep the users' identity in the cache. The key part of the KB which seems to describe why the cache item is not refreshed after the default of 10 minutes is:

The cache entries do time out, however chances are that recurring queries by applications keep the existing cache entry alive for the maximum lifetime of the cache entry.

I'm not exactly sure what in our code was causing this (the recurring queries), but the resolution which worked for us was to cut the LsaLookupCacheExpireTime value from the seemingly obscene default of 1 week to just a few hours. This, for us, cut the probability that a user would be impacted in the real world to essentially zero, and yet at the same time doesn't cause an extreme number of SID-Name lookups against our directory servers. An even better solution IMO would be if applications looked up user information by SID instead of mapping user data to textual login name. (Take note, vendors! If you're relying on AD authentication in your application, you'll want to put the SID in your authentication database!)

Answer

Grhm picture Grhm · Oct 7, 2011

I've had similar issues lately and as stated in Robert MacLean's answer, AviD's group policy changes don't work if you're not logging in as the users.

I found changing the LSA Lookup Cache size as described is MS KB946358 worked without rebooting or recycling any apppool or services.

I found this as an answer to this similar question: Wrong authentication after changing user's logon name.

You might want to look into the following system calls such as the following ones:

LookupAccountName()

LookupAccountSid()

LsaOpenPolicy()

You could use them to write a C++/CLI (/Managed-C++) app to interrogate the LSA cache.