User authentication -- username mismatch in IIS in ASP.NET application

Posted by Cory Larson on Server Fault See other posts from Server Fault or by Cory Larson
Published on 2013-04-08T15:04:03Z Indexed on 2013/11/10 22:02 UTC
Read the original article Hit count: 281

Last week, an employee's Active Directory username was changed (or a new one was created for them). For the purposes of this example, let's assume these usernames:

Old: Domain\11111
New: Domain\22222

When this user now logs in using their new username, and attempts to browse to any one of a number of ASP.NET applications using only Windows Authentication (no Anonymous enabled), the system authenticates but our next layer of database-driven permissions prevents them from being authorized. We tracked it down to a mismatch of usernames between their logon account and who IIS thinks they are. Below are the outputs of several ASP.NET variables from apps running in a Windows 2008 IIS7.5 environment:

Request.ServerVariables["AUTH_TYPE"]: Negotiate
Request.ServerVariables["AUTH_USER"]: Domain\11111
Request.ServerVariables["LOGON_USER"]: Domain\22222
Request.ServerVariables["REMOTE_USER"]: Domain\11111

HttpContext.Current.User.Identity.Name: Domain\11111
System.Threading.Thread.CurrentPrincipal.Identity.Name: Domain\11111

From the above, I can see that only the LOGON_USER server variable has the correct value, which is the account the user used to log on to their machine. However, we use the "AUTH_USER" variable for looking up the database permissions.

In a separate testing environment (completely different server: Windows 2003, IIS6), all of the above variables show "Domain\22222". So this seems to be a server-specific issue, like the credentials are somehow getting cached either on their machine or on the server (the former seems more plausible).

So the question is: how do I confirm whether it's the user's machine or the server that is botching the request? How should I go about fixing this?

I looked at the following two resources and will be giving the first one a try shortly:

Thanks.

© Server Fault or respective owner

Related posts about iis7

Related posts about windows-xp