Last week, an employee's Active Directory username was changed (or a new one was created for them). For the purposes of this example, let's assume these usernames:
Old: Domain\11111
New: Domain\22222
When this user now logs in using their new username, and attempts to browse to any one of a number of ASP.NET applications using only Windows Authentication (no Anonymous enabled), the system authenticates but our next layer of database-driven permissions prevents them from being authorized. We tracked it down to a mismatch of usernames between their logon account and who IIS thinks they are. Below are the outputs of several ASP.NET variables from apps running in a Windows 2008 IIS7.5 environment:
Request.ServerVariables["AUTH_TYPE"]: Negotiate
Request.ServerVariables["AUTH_USER"]: Domain\11111
Request.ServerVariables["LOGON_USER"]: Domain\22222
Request.ServerVariables["REMOTE_USER"]: Domain\11111
HttpContext.Current.User.Identity.Name: Domain\11111
System.Threading.Thread.CurrentPrincipal.Identity.Name: Domain\11111
From the above, I can see that only the LOGON_USER server variable has the correct value, which is the account the user used to log on to their machine. However, we use the "AUTH_USER" variable for looking up the database permissions.
In a separate testing environment (completely different server: Windows 2003, IIS6), all of the above variables show "Domain\22222". So this seems to be a server-specific issue, like the credentials are somehow getting cached either on their machine or on the server (the former seems more plausible).
So the question is: how do I confirm whether it's the user's machine or the server that is botching the request? How should I go about fixing this?
I looked at the following two resources and will be giving the first one a try shortly:
- http://www.interworks.com/blogs/jvalente/2010/02/02/removing-saved-credentials-passwords-windows-xp-windows-vista-or-windows-7
- https://stackoverflow.com/questions/2325005/classic-asp-request-servervariableslogon-user-returning-wrong-username/5299080#5299080
Thanks.
The problem looks similar to this issue here:
https://stackoverflow.com/questions/168946/iis-returning-old-user-names-to-my-application
For clarification here is the solution:
http://support.microsoft.com/kb/946358