LsaLookupSids

One of my coworkers got married and changed her surname. After my colleague changed her domain user strange thing happened. We are using domain authentication on our web portal. After domain user change she didn’t have any rights on the portal anymore. I checked the log (I am using Elmah) and there it was: Validation failed for one or more entities. The strangest thing was that under User column there was old surname, not the new one! Firstly I checked AD. Everything was fine. Then I tried to restart web page and IIS – it didn’t help. Server reboot was out of option.

After that I asked uncle Google, if he knows anything about that stuff. And he directed me to stackoverflow article. To work around this issue you can do following:

  1. Open registry editor as admin (on Windows Server 2008 and newer you can find it via searchbox (type regedit) on older versions you can run it via Run).
  2. Locate following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click on it, point to New and click DWORD Value.
  4. Type in LsaLookupCacheMaxSize and press Enter.
  5. Set value to 0 and exit registry editor.

Warning: this registry entry disables local SID caching. Because local SID cache helps to reduce domain controller workload and network traffic I deleted this registry entry after I checked that cache doesn’t hold deprecate username value anymore.

You can also check solution on official Microsoft support page.