1

We have a website integrated with ADFS 3 for authentication. Website allows users to change their usernames, which in turn changes their usernames in AD. If users changes their usernames we log them out using WSFederationAuthenticationModule.FederatedSignOut. However the page redirects to adfs url and throws an error. The event log shows that "either username or password is wrong".

MSIS7066: Authentication failed for the request. ---> System.Security.SecurityException: The user name or password is incorrect. I wonder it is because of user name change. I tried with both lsalookupcachemaxsize set to 0 in registry and without the key. By the way does ADFS 3 even consider this registry key?

The code used is below - 

FormsAuthentication.SignOut();
FederatedAuthentication.SessionAuthenticationModule.SignOut();
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
Response.Expires = 0;
Session.Abandon();
var authenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
WSFederationAuthenticationModule.FederatedSignOut(new Uri(authenticationModule.Issuer), new Uri(authenticationModule.Realm));
rachen
  • 31
  • 3
  • Yes disabling LSA cache is necessary in this scenario. Did you do it on all AD FS servers? – maweeras Sep 12 '14 at 21:04
  • Thanks for the response. lsalookupcachemaxsize is set to 0 in registry. We have only one ADFS server. The registry entry does not seem to have any effect. This registry entry does not cache the old username. However the current problem is, during signout, ADFS identifies that the token is issued for different name than the current name. Why does it validate the request during signout? This behavior/issue was not there in ADFS 2.0. – rachen Sep 13 '14 at 18:59

0 Answers0