IIS Server Security, AD user name changed, IIS still sees old user name

We have an ASP.NET application running on Windows Server 2003, using IIS 6.0,
and integrated windows authentication with SQL Server 2000 on the back-end.
We store active directory user names in the SQL Server database for use in
mapping application user accounts to active directory user accounts. We
created a user account for one of our users some time last year (i.e. -
_joeuser), and added them to the database as an active user (i.e. - inserted
"_joeuser" into user's table). This year the user's name was changed in
Active Directory from "_joeuser" to "jimuser". Of course, we also updated
the user name in the application's user table.

The problem is, even though we have changed the name in both Active
Directory and in the user table in the database, when calling
Context.User.Identity from within our ASP.NET application we receive the old
user name when the user connects to the site (i.e. - "_joeuser"). Neither
restarting IIS nor restarting the worker process fixes the problem. A full
server reboot will fix the problem; however, we do not want to reboot one of
the servers everytime we change a username in Active Directory. Is there a
way to force these changes down to the server(s) on-demand when making this
kind of user name change in the Active Directory?

Additionally, we also wrote a small tool to query the AD from the
command-line on the web server, and it is able to find the SID for the new
user name (i.e. - "jimuser") as expected. When the tool is asked to query
the AD for a SID for the old user name (i.e. - "_joeuser"), it cannot find
the name as expected.

Any ideas or thoughts would be greatly appreciated! We have a developer who
is "on-the-edge" as a result of this issue, and we are trying to solve his
problem.

Thank you,

Aaron

Did you change the user's name, user's SID, or both?

IIS definitely caches user tokens for performance reasons (can't be hitting
the DC on every single request...), and since the DC doesn't tell IIS when
such AD data changes, you'll have to do it yourself. Restarting IIS (either
recycling the ApplicationPool or W3SVC service) should be sufficient to
clear out the user tokens. I also believe IIS refreshes such user tokens
after 15 minutes or so, so unless you are in a hurry, things should just
magically work.

Now, ASP.Net/.Net Framework may do its own caching, and since
Context.User.Identity is within ASP.Net, you will need to make sure their
caches are cleared as well.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//


We have an ASP.NET application running on Windows Server 2003, using IIS
6.0,
and integrated windows authentication with SQL Server 2000 on the back-end.
We store active directory user names in the SQL Server database for use in
mapping application user accounts to active directory user accounts. We
created a user account for one of our users some time last year (i.e. -
_joeuser), and added them to the database as an active user (i.e. - inserted
"_joeuser" into user's table). This year the user's name was changed in
Active Directory from "_joeuser" to "jimuser". Of course, we also updated
the user name in the application's user table.

The problem is, even though we have changed the name in both Active
Directory and in the user table in the database, when calling
Context.User.Identity from within our ASP.NET application we receive the old
user name when the user connects to the site (i.e. - "_joeuser"). Neither
restarting IIS nor restarting the worker process fixes the problem. A full
server reboot will fix the problem; however, we do not want to reboot one of
the servers everytime we change a username in Active Directory. Is there a
way to force these changes down to the server(s) on-demand when making this
kind of user name change in the Active Directory?

Additionally, we also wrote a small tool to query the AD from the
command-line on the web server, and it is able to find the SID for the new
user name (i.e. - "jimuser") as expected. When the tool is asked to query
the AD for a SID for the old user name (i.e. - "_joeuser"), it cannot find
the name as expected.

Any ideas or thoughts would be greatly appreciated! We have a developer who
is "on-the-edge" as a result of this issue, and we are trying to solve his
problem.

Thank you,

Aaron

David,

We did not change the user's SID, only the user's logon username. The
change was made a couple weeks ago in fact, so it should not still be cached
by IIS. This is what puzzles us the most, and why we are asking the question
here. If ASP.NET was caching credentials in session or application memory
space, this should be cleared when an IIS reset is performed and the worker
process is recycled. This is why we are wondering what we are doing wrong.
Please advise.

Thanks,

Aaron

Any other ideas? We really need to resolve this issue. We cannot go around
rebooting all the servers in our environment everytime we have to change a
user's logon username. Please help.

Thanks,

Aaron

Aaron:

Did you ever find a resolution for this? I am experiencing the exact same
problem, down to the app versions. The issue manifests itself when
atttempting to retrieve group memberships for the user with the changed
logon. At first we thought it might be an issue with the global catalog being
updated but booting the IIS server resolves it so that doesn't really point
to the GC. It certainly seems as though the old credentials are being cached
somewhere. I tried a registry setting for default IIS User token time to live
but it had no effect. I haven't found anything to this point on ASP caching.

Thanks,

Ken