Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IIS Returning Old User Names to my application

Here's my scenario. I created an application which uses Integrated Windows Authentication in order to work. In Application_AuthenticateRequest(), I use HttpContext.Current.User.Identity to get the current WindowsPrincipal of the user of my website.

Now here's the funny part. Some of our users have recently gotten married, and their names change. (i.e. the user's NT Login changes from jsmith to jjones) and when my application authenticates them, IIS passes me their OLD LOGIN . I continue to see jsmith passed to my application until I reboot my SERVER! Logging off the client does not work. Restarting the app pool does not work. Only a full reboot.

Does anyone know what's going on here? Is there some sort of command I can use to flush whatever cache is giving me this problem? Is my server misconfigured?

Note: I definitely do NOT want to restart IIS, my application pools, or the machine. As this is a production box, these are not really viable options.


AviD -

Yes, their UPN was changed along with their login name. And Mark/Nick... This is a production enterprise server... It can't just be rebooted or have IIS restarted.


Follow up (for posterity):

Grhm's answer was spot-on. This problem pops up in low-volume servers where you don't have a lot of people using your applications, but enough requests are made to keep the users' identity in the cache. The key part of the KB which seems to describe why the cache item is not refreshed after the default of 10 minutes is:

The cache entries do time out, however chances are that recurring queries by applications keep the existing cache entry alive for the maximum lifetime of the cache entry.

I'm not exactly sure what in our code was causing this (the recurring queries), but the resolution which worked for us was to cut the LsaLookupCacheExpireTime value from the seemingly obscene default of 1 week to just a few hours. This, for us, cut the probability that a user would be impacted in the real world to essentially zero, and yet at the same time doesn't cause an extreme number of SID-Name lookups against our directory servers. An even better solution IMO would be if applications looked up user information by SID instead of mapping user data to textual login name. (Take note, vendors! If you're relying on AD authentication in your application, you'll want to put the SID in your authentication database!)

like image 723
Dave Markle Avatar asked Oct 03 '08 21:10

Dave Markle


4 Answers

I've had similar issues lately and as stated in Robert MacLean's answer, AviD's group policy changes don't work if you're not logging in as the users.

I found changing the LSA Lookup Cache size as described is MS KB946358 worked without rebooting or recycling any apppool or services.

I found this as an answer to this similar question: Wrong authentication after changing user's logon name.

You might want to look into the following system calls such as the following ones:

LookupAccountName()

LookupAccountSid()

LsaOpenPolicy()

You could use them to write a C++/CLI (/Managed-C++) app to interrogate the LSA cache.

like image 187
Grhm Avatar answered Nov 04 '22 22:11

Grhm


The problem as AviD identified is the Active Directory cache which you can control via the registry. Depending on your solution Avid's group policy options will fail or work depending if you are actually logging the users on or not.

How it is being cached depends on how you are authenticating on IIS. I suspect it could be Kerberos so to do the clearing if it is being caused by Kerberos you may want to try klist with the purge option which should purge kerberos tickets, which will force a reauth to AD on the next attempt and update the details.

I would also suggest looking at implementing this which is slightly more complex but far less error prone.

like image 42
Robert MacLean Avatar answered Nov 04 '22 23:11

Robert MacLean


I know we've had cached credentials problems in IIS in the past here, too, and after Googling for days we came across an obscure (to us, at least) command you can use to view and clear cached credentials.

Start -> Run (or WinKey+R) and type control keymgr.dll

This fixed our problems for client machines. Haven't tried it on servers but it might be worth a shot if its the server caching credentials. Our problem was we were getting old credentials but only on a client machine basis. If the user logged in on a separate client machine, everything was fine, but if they used their own machine at their desk that they normally work on it had the cached old credentials.

like image 4
Sean Hanley Avatar answered Nov 05 '22 00:11

Sean Hanley


If it's not an issue of changing only the NT Username, then it does seem that the authentication service is caching the old username.
You can define this to be disabled, go to the Local Security Settings (in Administrative Tools), and depending on version/edition/configuration the settings that are possible relevant (from memory) are "Number of previous logons to cache" and "Do not allow storage of credentials...".

Additional factors to take into account:

  • Domain membership might affect this, as member servers may inherit domain settings
  • You may still need to restart the whole server once for this to take affect (but then you won't have to worry about updates in the future).
  • Logon performance might be affected.

As such, I recommend you test this first before deploying on production (of course).

like image 3
AviD Avatar answered Nov 04 '22 22:11

AviD