ADFS and AD User Name Changes

One of our users was recently married, and had her name changed.

Two days later she opened a helpdesk ticket indicating one of our claims aware applications denied her access to it's resources.

After enabling ADFS debug logging, I discovered that the server was still referencing her old user name.

After a few minutes of Googling, I found this article that points to a MS KB article outlining the use of LSA caching user SID's, creating my problem.

A quick Powershell script keeps this from happening again after creating the registry key noted in the KB article:

$RegKey="HKLM:\System\CurrentControlSet\Control\Lsa"
Set-ItemProperty -path $RegKey -name LsaLookupCacheMaxSize -value 0
Set-ItemProperty -path $RegKey -name LsaLookupCacheMaxSize -value 128

Enhanced by Zemanta

Comments

Anonymous said…
Hi John,

Thanks for sharing.

Where did you execute the script?

Is it in the AD server?

Thanks,
eyr

Wed Aug 15, 12:25:00 AM CDT
John Croson said…
No, this was done on the ADFS server.
Wed Aug 15, 09:59:00 AM CDT
Post a Comment

Popular posts from this blog

NPI Search Redundancy

Most healthcare professionals know at this point that all providers of health care, require NPI (National Provider Identifier) numbers. Without one, it will become increasingly difficult for claims to be paid by commercial payers, and impossible to collect medicare and medicaid payments. Since we are a coding/billing/collection/management agency, we have frequented the NPPES (National Plan & Provider Enumeration System) to lookup NPI information. Unfortunately, there have been brief periods of downtime of the site, causing us to implement our own solution: a backup of the registry. I have a daily cron job that downloads the NPI database, push it into MySQL, giving us an albeit slow, but accurate access to an off-line version of this data. The shell script below performs the retrieval: #!/bin/sh WORKDIR="/srv/htdocs/npi" LOG="$WORKDIR/npi.log" MONTH=`date +%b` LASTMONTH=`date +%b --date='1 month ago'` YEAR=`date +%Y` URL="http://nppesdata.cms.h
Read more

freeFTPD

Image
Image by Micah68 via Flickr I've been using FileZilla FTP server for some time now and have been happy for the performance. Recently, we needed the ability to expose the FTP service to another client, and the documents that we'd be receiving would be arriving in an un-encrypted form, unlike our other clients. I decided I could simply enable FTPS , the SSL enabled FTP protocol and open a port to 990 on my ASA 5525 Security Appliance and NAT traffic to our server. Unfortunately I quickly found out that a passive FTPS server behind my firewall won't work without some specific configuration changes as discussed in this article . With all that fussing around, I decided to check out freeFTPd, a single deamon that offers both FTP and SFTP, not to be confused with FTPS, but the secure file transfer protocol that is common to the SSH ( secure shell ) protocol. It's fairly straight forward, but is a bit quirky and the documentation is non-existent. Follow some of my ti
Read more

Using ImageMagick and Tesseract to sort TIFFs on Windows

Image
Recently I wrote a post about my search for a TIFF iFilter that would enable me to use VBScript to query a Windows Indexing Services server for file management. I found that since OCR is never always 100% accurate, neither were my attempts at sorting all the inbound EMR faxes we get each day. I did however, find Tesseract , a great product that was originally developed by HP and proprietary, and is now developed by Google and licensed under the Apache License v2, open source . It is one of the most accurate open source OCR engines available. It is quite basic, and in the version you obtain from the project page , it only operates from the command line, and without the libtiff library, will only do it's work on un-compressed TIFFs. More information can be found on the project pages , and Wikipedia . Doing some scouring, I aso found a front-end , and ArchivistaBox, a complete document management system . Image via Wikipedia I'm using it in Windows, so I needed to do one of
Read more