IIS Returning Old User Names to my application

asp.net security iis authentication kerberos

21,886

Solution 1

I've had similar issues lately and as stated in Robert MacLean's answer, AviD's group policy changes don't work if you're not logging in as the users.

I found changing the LSA Lookup Cache size as described is MS KB946358 worked without rebooting or recycling any apppool or services.

I found this as an answer to this similar question: Wrong authentication after changing user's logon name.

You might want to look into the following system calls such as the following ones:

LookupAccountName()

LookupAccountSid()

LsaOpenPolicy()

You could use them to write a C++/CLI (/Managed-C++) app to interrogate the LSA cache.

Solution 2

The problem as AviD identified is the Active Directory cache which you can control via the registry. Depending on your solution Avid's group policy options will fail or work depending if you are actually logging the users on or not.

How it is being cached depends on how you are authenticating on IIS. I suspect it could be Kerberos so to do the clearing if it is being caused by Kerberos you may want to try klist with the purge option which should purge kerberos tickets, which will force a reauth to AD on the next attempt and update the details.

I would also suggest looking at implementing this which is slightly more complex but far less error prone.

Solution 3

I know we've had cached credentials problems in IIS in the past here, too, and after Googling for days we came across an obscure (to us, at least) command you can use to view and clear cached credentials.

Start -> Run (or WinKey+R) and type control keymgr.dll

This fixed our problems for client machines. Haven't tried it on servers but it might be worth a shot if its the server caching credentials. Our problem was we were getting old credentials but only on a client machine basis. If the user logged in on a separate client machine, everything was fine, but if they used their own machine at their desk that they normally work on it had the cached old credentials.

Solution 4

If it's not an issue of changing only the NT Username, then it does seem that the authentication service is caching the old username.
You can define this to be disabled, go to the Local Security Settings (in Administrative Tools), and depending on version/edition/configuration the settings that are possible relevant (from memory) are "Number of previous logons to cache" and "Do not allow storage of credentials...".

Additional factors to take into account:

Domain membership might affect this, as member servers may inherit domain settings
You may still need to restart the whole server once for this to take affect (but then you won't have to worry about updates in the future).
Logon performance might be affected.

As such, I recommend you test this first before deploying on production (of course).

Solution 5

When these users' names were changed, did you change only their NT Login names, or their UPN names too? the UPN names are the proper names, and used by Kerberos - which is the default protocol for IWA; however, if you just click to change their name in ActiveDirectory, only the NT Login name changes - even though thats what they would use to login (using the default windows GINA). Under the covers, windows would translate the (new) NT Login name to the (old) Kerberos name. This persists until AD is forced to update the Kerberos name according to the NT Login name...

View more solutions

21,886

Author by

Dave Markle

Software Development Manager, Sands Capital Management

Updated on August 09, 2020

Comments

Dave Markle almost 4 years

Here's my scenario. I created an application which uses Integrated Windows Authentication in order to work. In Application_AuthenticateRequest(), I use HttpContext.Current.User.Identity to get the current WindowsPrincipal of the user of my website.

Now here's the funny part. Some of our users have recently gotten married, and their names change. (i.e. the user's NT Login changes from jsmith to jjones) and when my application authenticates them, IIS passes me their OLD LOGIN . I continue to see jsmith passed to my application until I reboot my SERVER! Logging off the client does not work. Restarting the app pool does not work. Only a full reboot.

Does anyone know what's going on here? Is there some sort of command I can use to flush whatever cache is giving me this problem? Is my server misconfigured?

Note: I definitely do NOT want to restart IIS, my application pools, or the machine. As this is a production box, these are not really viable options.

AviD -

Yes, their UPN was changed along with their login name. And Mark/Nick... This is a production enterprise server... It can't just be rebooted or have IIS restarted.

Follow up (for posterity):

Grhm's answer was spot-on. This problem pops up in low-volume servers where you don't have a lot of people using your applications, but enough requests are made to keep the users' identity in the cache. The key part of the KB which seems to describe why the cache item is not refreshed after the default of 10 minutes is:

The cache entries do time out, however chances are that recurring queries by applications keep the existing cache entry alive for the maximum lifetime of the cache entry.

I'm not exactly sure what in our code was causing this (the recurring queries), but the resolution which worked for us was to cut the LsaLookupCacheExpireTime value from the seemingly obscene default of 1 week to just a few hours. This, for us, cut the probability that a user would be impacted in the real world to essentially zero, and yet at the same time doesn't cause an extreme number of SID-Name lookups against our directory servers. An even better solution IMO would be if applications looked up user information by SID instead of mapping user data to textual login name. (Take note, vendors! If you're relying on AD authentication in your application, you'll want to put the SID in your authentication database!)