LsaLookupSids

One of my coworkers got married and changed her surname. After my colleague changed her domain user strange thing happened. We are using domain authentication on our web portal. After domain user change she didn’t have any rights on the portal anymore. I checked the log (I am using Elmah) and there it was: Validation failed for one or more entities. The strangest thing was that under User column there was old surname, not the new one! Firstly I checked AD. Everything was fine. Then I tried to restart web page and IIS – it didn’t help. Server reboot was out of option.

After that I asked uncle Google, if he knows anything about that stuff. And he directed me to stackoverflow article. To work around this issue you can do following:

  1. Open registry editor as admin (on Windows Server 2008 and newer you can find it via searchbox (type regedit) on older versions you can run it via Run).
  2. Locate following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click on it, point to New and click DWORD Value.
  4. Type in LsaLookupCacheMaxSize and press Enter.
  5. Set value to 0 and exit registry editor.

Warning: this registry entry disables local SID caching. Because local SID cache helps to reduce domain controller workload and network traffic I deleted this registry entry after I checked that cache doesn’t hold deprecate username value anymore.

You can also check solution on official Microsoft support page.

How to override IIS default error messages?

Today I was working on retrieving status codes in ASP.NET MVC 4 application. I needed correct status codes for my ajax requests to show correct error message (in case of an error, of course). The problem was that IIS was redirecting when status code was added to response. In case of status code 401 it redirected to basic login, in case of status code 403 it redirected to IIS generic error page and so on. If you are working with .NET version 4.5 there exists very simple solution:

Response.TrySkipIisCustomErrors = true;

But not with .NET version 4.0. 🙂 In that case you have to add few lines into your Web.config file inside of system.webServer node:

<httpErrors existingResponse="PassThrough">
  <remove statusCode="403"/>
  <error statusCode="403" responseMode="ExecuteURL" path="~/StatusCode/Unauthorized"/>
  <remove statusCode="401"/>
  <error statusCode="401" responseMode="ExecuteURL" path="~/StatusCode/Forbidden"/>
  <remove statusCode="404"/>
  <error statusCode="404" responseMode="ExecuteURL" path="~/StatusCode/NotFound"/>
</httpErrors>

With attribute value “PassThrough” (attribute existingResponse) you tell IIS to leave response untouched if an existing response exists. You can check other attribute options here. Value of attribute path inside of node error represents the path to the response (for example: “~/ControllerName/ActionName”). That way you can override IIS’ default error responses with your custom error responses.