0

I have WCF service with Windows authentication. To identify client user on the service side I'm using following code: ServiceSecurityContext.Current.PrimaryIdentity.Name.

That returns me string in the form: 'domain\janedoe'.

Jane Doe became married and changed last name. Active Directory administrator also renamed her user id. So now she logs into AD as 'domain\janesmith'.

My issue is that ServiceSecurityContext.Current.PrimaryIdentity.Name still returns old one - 'domain\janedoe'.

Do you have some suggestions on where to start with this ?

TarasB
  • 2,407
  • 1
  • 24
  • 32
  • I was experiencing this same issue. I believe the info at the link provided by DaMoohn would resolve the issue in the long term. If this must be resolved quickly (and without a server restart), the quickest way I've found is to cause the cache to refresh by other means. Adding the user to the server as a user and having them authenticate to a local resource, either through remote desktop or possibly a file share will update the cache and allow the WCF service to pull in the correct account information. – N. L. Long Feb 04 '15 at 21:19

3 Answers3

1

There is some caching mechanism in Active Directory.

Maybe this link will help you link

DaeMoohn
  • 1,087
  • 13
  • 27
1

I had a similar problem with a web app I was running in IIS 6. The only thing that would ever work for me to clear the cache was to restart the server. Our AD admin was completely unhelpful/out of his depth so I eventually just re-wrote the page to grab the sid. Then if I needed the username I would do an LDAP query on the sid to get the user name.

Brian Cauthon
  • 5,524
  • 2
  • 24
  • 26
0

How about using Softerra LDAP Browser (the free version 2.6) to see what attributes are available and to see which field could have possibly been read from?

Then you could investigate further; maybe the change of her name did not cover all necessary attributes.

Addition:

Also, if you have multiple domain controllers that replicate their information, there could be some delay, until they all have up-to-date data.

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
  • 1
    Thanks, @Ed. The downvote is probably because I provide no direct solutions but just a hint on how to start finding a solution. I posted only because the author asked for "...suggestions on where to start...". – Uwe Keim Jan 31 '11 at 15:52
  • 1
    Thank you for suggestion Uwe. I'll try that or another tool. – TarasB Jan 31 '11 at 15:54
  • 1
    @Taras Look for the samAccountName attribute. Administrator renames the AD user might not have renamed the samAccountName attribute. – Harvey Kwok Feb 01 '11 at 02:57
  • 2
    The downvote was because the answer you gave didn't suggest ways to further solve the issue, just sounded like a commercial. The OP should know there are Microsoft free tools ("admin packs") available that offer the possibility to query the AD content straightforward. But that's not the solution to the problem. The solution would be to clear the cache, assuming the admin performed his job. – DaeMoohn Feb 01 '11 at 08:18
  • 2
    I think it might have been better to suggest checking ldap attributes as a comment on the question. Replication issues could be a cause and should be its own answer in my opinion. – Brian Cauthon Feb 08 '11 at 16:53
  • 1
    Uwe, have a look to [Apache Directory Studio](http://directory.apache.org/studio/) it's a good LDAP browser too. – JPBlanc Apr 21 '11 at 06:05