Sunday, 24 June 2012

Cached SID of Old Windows Domain User Account

My company has a web application that utilises windows authentication in order to validate users.  This offers a quick method of end users to become authorised without the burden of remembering muliple passwords.  The other day a client contacts me saying that when they launched the web application a different user name was being displayed to the windows domain user account logged in.

So for example Bertie wooster would login to the workstation with domain user account Corpdomain\bertiewooster.  When they launched the application started up it stated it could not find the login for Corpdomain\jeeves.

Running Excel Data connections and also ODBC administrator (testing data source) presentd the same issues and so it was not an application issue but the way windows was viewing the current logged on windows domain user account

The client using this particular software had a process of renaming the windows domain user account each time a new end user joined the company.  The windows domain user account will be renamed from the old domain user account to the new domain user account instead of creating a new account.   So in our example Corpdomain\jeeves had left the company and Corpdomain\bertiewooster took over.

New workstations did not experience the problem but if the previous end user had logged onto the machine previously then this problem would be apparant. So the problem appeared to be profile related and a Cached SID.

Problem seen on Windows XP and Windows 2003 servers.  We do not seem to experience the issue on Windows 2008 servers and Windows 7.

To correct the issue the following was performed:

1. Remove for the windows profile created fo rthe previous domain user name

2. Remove the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\xxx (replace xxx with the key for the user

In some cases running point 1 was enough to correct the issue.

No comments:

Post a Comment