Wrong authentication after changing user's logon name

Biri picture Biri · Apr 5, 2011 · Viewed 7.4k times · Source

We have a user who recently changed name.

Let's say the old username was old.name and the new username is new.name.

After editing the details in AD and logout/login with the new user name, our ASP.NET application shows the old name.

Plain ASP.NET, no MVC, using Windows authentication.

The code for getting the user name is:

WindowsPrincipal wp = (WindowsPrincipal)HttpContext.Current.User;
String userName = wp.Identity.Name.Substring(wp.Identity.Name.IndexOf("\\") + 1);

This returns old.name, not new.name.

I checked the IIS log files, these show the new name:

2011-04-05 11:41:44 W3SVC1 MARS 10.57.1.64 GET /eft/Default.aspx - 80 - 10.57.0.161 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E) 401 2 2148074254

2011-04-05 11:41:44 W3SVC1 MARS 10.57.1.64 GET /eft/Default.aspx - 80 SANOMABP\new.name 10.57.0.161 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E) 200 0 0

We have restarted the application pool, we have checked the AD data, and we have no more ideas what could be wrong.

Answer

roman m picture roman m · Aug 3, 2011

MOVING CORRECT ANSWER FROM COMMENTS FOR CLARITY:

@paolo: you may try looking at support.microsoft.com/kb/946358

Workaround


To work around this issue, disable the local SID cache on the domain member computer. To do this, follow these steps:

  1. Open Registry Editor.

    To do this in Windows XP or in Windows Server 2003, click Start, click Run, type regedit, and then click OK.

    To do this in Windows Vista and newer, Click Start, type regedit in the Start Search box, and then press ENTER.

  2. Locate and then right-click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  3. Point to New, and then click DWORD Value.

  4. Type LsaLookupCacheMaxSize, and then press ENTER.

  5. Right-click LsaLookupCacheMaxSize, and then click Modify.

  6. In the Value data box, type 0, and then click OK.

  7. Exit Registry Editor.