Thursday, July 26, 2012

ADFS and AD User Name Changes

One of our users was recently married, and had her name changed.

Two days later she opened a helpdesk ticket indicating one of our claims aware applications denied her access to it's resources.

After enabling ADFS debug logging, I discovered that the server was still referencing her old user name.

After a few minutes of Googling, I found this article that points to a MS KB article outlining the use of LSA caching user SID's, creating my problem.

A quick Powershell script keeps this from happening again after creating the registry key noted in the KB article:

$RegKey="HKLM:\System\CurrentControlSet\Control\Lsa"
Set-ItemProperty -path $RegKey -name LsaLookupCacheMaxSize -value 0
Set-ItemProperty -path $RegKey -name LsaLookupCacheMaxSize -value 128

Enhanced by Zemanta

2 comments:

Anonymous said...

Hi John,

Thanks for sharing.

Where did you execute the script?

Is it in the AD server?

Thanks,
eyr

John Croson said...

No, this was done on the ADFS server.