Problem authenticating against renamed Active Directory account

[Alan Lambert]

I've got a web (intranet) application that uses windows authentication. Once
a user has connected the applicaiton picks up their username and looks up
details in a database using the username as a key.

The username is got from the following:

((WindowsPrincipal)Page.User).Identity.Name

This works fine for everyone but a problem has recently cropped up. One
persons AD account has recently been renamed.
e.g. It was originally MYDOMAIN\JohnSmith and it is now MYDOMAIN\JohnJones

Although the user can log on using MYDOMAIN\JohnJones the username resolves
to MYDOMAIN\JohnSmith i.e. the original name.

Is there a bug in the security api? Why is this occuring and how do I fix
it?

Thanks in advance for your help

Alan

 

[Joe Kaplan]

There was a discussion about this very problem recently. It seems to have
to do with caching in the LSA. If rebooting the server doesn't flush the
cache, you can adjust the behavior by changing a registry key. Do a few
searches and you should find the relevant details.

 

[Allen Chen [MSFT]]

Hi Alan,

As Joe said, this problem is probably caused by the SID cache on the web
server. ((WindowsPrincipal)Page.User).Identity.Name will retrieve data from
cache if the user has loged in before. Unfortunately the only way to clear
the cache is to reboot the web server machine.

A workaround to this issue might be using the GetUserNameEx API, like below:

<%@ Page Language="c#" %>
<%@ import Namespace="System.Security" %>
<%@ import Namespace="System.Security.Principal" %>
<%@ import Namespace="System.Runtime.InteropServices" %>
<html><body>
<script runat=server>

[DllImport("Secur32.dll", SetLastError=true,CharSet=CharSet.Auto)]
public static extern int GetUserNameEx(int NameFormat, StringBuilder
userName, ref
uint nSize);

public void Page_Load(Object s, EventArgs e){

try {

WindowsImpersonationContext impersonationContext =
((WindowsIdentity) User.Identity).Impersonate();

StringBuilder userName = new StringBuilder( 128 );
uint lOutSize = 128;
GetUserNameEx(2, userName, ref lOutSize);
Response.Write("You are now: " + userName.ToString() + "<BR>");

impersonationContext.Undo();

}
catch (Exception ex)
{
Response.Write(ex);
}
}
</script>

<%=Request.ServerVariables["LOGON_USER"]%>
</body></html>

Please test the above code to see if it works.

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Alan Lambert]

Joe, Allen

Many thanks to both of you for your help.

Alan