ADFS and AD User Name Changes

One of our users was recently married, and had her name changed.

Two days later she opened a helpdesk ticket indicating one of our claims aware applications denied her access to it's resources.

After enabling ADFS debug logging, I discovered that the server was still referencing her old user name.

After a few minutes of Googling, I found this article that points to a MS KB article outlining the use of LSA caching user SID's, creating my problem.

A quick Powershell script keeps this from happening again after creating the registry key noted in the KB article:

$RegKey="HKLM:\System\CurrentControlSet\Control\Lsa"
Set-ItemProperty -path $RegKey -name LsaLookupCacheMaxSize -value 0
Set-ItemProperty -path $RegKey -name LsaLookupCacheMaxSize -value 128

Enhanced by Zemanta

Comments

Anonymous said…
Hi John,

Thanks for sharing.

Where did you execute the script?

Is it in the AD server?

Thanks,
eyr

Wed Aug 15, 12:25:00 AM CDT
John Croson said…
No, this was done on the ADFS server.
Wed Aug 15, 09:59:00 AM CDT
Post a Comment

Popular posts from this blog

freeFTPD

Image
Image by Micah68 via Flickr I've been using FileZilla FTP server for some time now and have been happy for the performance. Recently, we needed the ability to expose the FTP service to another client, and the documents that we'd be receiving would be arriving in an un-encrypted form, unlike our other clients. I decided I could simply enable FTPS , the SSL enabled FTP protocol and open a port to 990 on my ASA 5525 Security Appliance and NAT traffic to our server. Unfortunately I quickly found out that a passive FTPS server behind my firewall won't work without some specific configuration changes as discussed in this article . With all that fussing around, I decided to check out freeFTPd, a single deamon that offers both FTP and SFTP, not to be confused with FTPS, but the secure file transfer protocol that is common to the SSH ( secure shell ) protocol. It's fairly straight forward, but is a bit quirky and the documentation is non-existent. Follow some of my ti...
Read more

Traveling via Amtrak

Image
My wife, son and I recently took a trip to St Louis , to visit her Mom and Dad. We always have a good time, but don't look forward to the drive, as it takes 7 hours or so one way from 'lil old SE Wisconsin . Image via Wikipedia Thankfully, she looked into an older style of travel for our most recent trip to visit G'ma and G'pa; Amtrak . The cost is not much more than it is to drive. Fuel costs driving our mini-van is usually about $120, not to mention the fuel my son expends attempting to break out of his car seat ... The cost for our train ride was $188 with tax. Our son rode for 1/2 price since he is only 3. The trip took nearly the same amount of time, and we could ALL nap on the way down. We were able to bring a small cooler with lunch, play for a couple of hours in the dining car ( coloring books , puzzles, etc.) The only complaint I will lodge is customer service is a bit lacking. Our initial inquiries indicated we had the ability to check a bag, but foun...
Read more

DotNetNuke SEO

Image
I've been reading quite a bit lately on improving SEO for our DotNetNuke website , IHBSOnline.com and quickly realized it just isn't enough to throw up a website, add a listing in a couple of search engines and wait for the masses. First off, the DnnFriendlyUrlProvider, while writing friendlier URL's than older versions of DNN, could be better. This is why you need the iFinity FriendlyURL provider. It is free, but keep in mind it is really designed for a single domain site, and presents other issues with some other 3rd party modules. If you fall into that category, I'd suggest you purchase the full version, as it adds additional functionality you'll need and want. Image by AFP/Getty Images via Daylife I've learned that Google and possibly other search engines actually penalize you if you create duplicate content. The duplicate content issue could easily arise if you have a host that responds to both http://mydomain.com and http://www.mydomain.com. Yo...
Read more