-
Title
Error: "An error occured when a user logged in using Windows Authentication" and Event ID 3 an -
Description
If a username is changed in Active Directory (AD) (e.g. change of surname) the user will not be able to log into Archive Manager and an error message will be seen when attempting a logon as follows: "We are sorry, there has been an error in Archive Manager".
The following errors can also be observed in the Archive Manager event log on the IIS server responsible for the Archive Manager website.
Event ID 2:
Exception Source: System.Web
Exception Type: System.Web.HttpUnhandledException
Exception Message: Exception of type 'System.Web.HttpUnhandledException' was thrown.Event ID 3:
Exception Source:
Exception Type: System.UnauthorizedAccessException
Exception Message: An error occured when a user logged into Archive Manager using Windows Authentication. This is normally caused when a user on domain A logs into a server which trusts domain A, but does not have any information in the Archive Manager database for domain A. -
Cause
The Windows Local Security Authority (LSA) is caching the old username locally on the IIS server responsible for the Archive Manager website.
Although the username has changed in AD, Windows will first query its local Security Identifier (SID) cache, if the users SID is still in the local cache it will pass the old incorrect username to Archive Manager. -
Resolution
By default the LSA will cache 128 SID mappings so given enough time and user logons this problem will eventually resolve itself.
Rebooting the IIS server will also clear the SID cache.
To achieve a permanent fix, disable the LSA cache by changing the LsaLookupCacheMaxSize value to 0 as shown in this Microsoft Knowledgebase article: http://support.microsoft.com/kb/946358