IIS Returning Old User Names to my application

Question

Here\'s my scenario. I created an application which uses Integrated Windows Authentication in order to work. In Application_AuthenticateRequest(), I use

Answer 1

Restarting IIS, not the whole machine, should do the trick.

Answer 2

I've had similar issues lately and as stated in Robert MacLean's answer, AviD's group policy changes don't work if you're not logging in as the users.

I found changing the LSA Lookup Cache size as described is MS KB946358 worked without rebooting or recycling any apppool or services.

I found this as an answer to this similar question: Wrong authentication after changing user's logon name.

You might want to look into the following system calls such as the following ones:

LookupAccountName()

LookupAccountSid()

LsaOpenPolicy()

You could use them to write a C++/CLI (/Managed-C++) app to interrogate the LSA cache.

Answer 3

When these users' names were changed, did you change only their NT Login names, or their UPN names too? the UPN names are the proper names, and used by Kerberos - which is the default protocol for IWA; however, if you just click to change their name in ActiveDirectory, only the NT Login name changes - even though thats what they would use to login (using the default windows GINA). Under the covers, windows would translate the (new) NT Login name to the (old) Kerberos name. This persists until AD is forced to update the Kerberos name according to the NT Login name...

Answer 4

I know we've had cached credentials problems in IIS in the past here, too, and after Googling for days we came across an obscure (to us, at least) command you can use to view and clear cached credentials.

Start -> Run (or WinKey+R) and type control keymgr.dll

This fixed our problems for client machines. Haven't tried it on servers but it might be worth a shot if its the server caching credentials. Our problem was we were getting old credentials but only on a client machine basis. If the user logged in on a separate client machine, everything was fine, but if they used their own machine at their desk that they normally work on it had the cached old credentials.

Answer 5

The problem as AviD identified is the Active Directory cache which you can control via the registry. Depending on your solution Avid's group policy options will fail or work depending if you are actually logging the users on or not.

How it is being cached depends on how you are authenticating on IIS. I suspect it could be Kerberos so to do the clearing if it is being caused by Kerberos you may want to try klist with the purge option which should purge kerberos tickets, which will force a reauth to AD on the next attempt and update the details.

I would also suggest looking at implementing this which is slightly more complex but far less error prone.

Answer 6

If it's not an issue of changing only the NT Username, then it does seem that the authentication service is caching the old username.
You can define this to be disabled, go to the Local Security Settings (in Administrative Tools), and depending on version/edition/configuration the settings that are possible relevant (from memory) are "Number of previous logons to cache" and "Do not allow storage of credentials...".

Additional factors to take into account:

• Domain membership might affect this, as member servers may inherit domain settings
• You may still need to restart the whole server once for this to take affect (but then you won't have to worry about updates in the future).
• Logon performance might be affected.

As such, I recommend you test this first before deploying on production (of course).