|
Home > Archive > Microsoft Content Management Server > November 2005 > Rename user in AD causes problem in CMS authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Rename user in AD causes problem in CMS authentication
|
|
| subscriber 2005-11-26, 7:48 am |
| We have an MCMS 2002 based website with CMS formsauthentication and users
stored in AD.
We have a requirement that users in AD can be renamed programmatically. When
a user has been renamed and afterwards logs on to the site, the
HttpContext.Current.User has wrongly been assigned to the old username (the
username before the rename).
After some investigation I found out that the usernames are stored in the
AEUser mcms database table along with their SID.
I suspect that the CMS authentication module somehow looks up the users SID
based on the given username and creates an cms auth ticket.
Unfortunately the relation between the SID and the username has changed due
to the rename which CMS is not aware of and therefore the
HttpContext.Current.User gets assigned with the wrong username.
I've tried the "Synchronize" functionality in Site Manager with no luck.
I've tried an IISRESET with no luck.
I've tried to clear the memory cache via server configuration application -
and again with no luck.
As updating the MCMS database is not an option, can someone tell me if this
is a bug/by design and if there is a workaround (other than don't do the
renaming)?
Thanks.
Some details about the implementation:
When renaming the user in AD, the following properties are changed; CN,
sAMAccountname, userPrincipalName.
When a user logs on to the site, his username and password are checked
against the AD via System.DirectoryServices. If username and password matches
up, a cms authentication ticket is created using the cms authentication
module.
The users are not directly tied up with an MCMS rights group - mcms rights
are given by assigning a user to AD security groups.
| |
| Stefan [MSFT] 2005-11-26, 7:48 am |
| Hi,
this is a known issue.
Unfortunatelly the only solution is to remove the user manually from the
rights groups using SiteManager and then to add the renamed user to the
rights group again.
There is no other supported solution and direct manipulation of the database
would break the Microsoft Support Boundaries for MCMS.
If this is not satisfying and your company has a premier support contract
with Microsoft you could open a support case to request a design change
request for this behaviour.
Cheers,
Stefan
"subscriber" <subscriber@discussions.microsoft.com> schrieb im Newsbeitrag
news:FE79740B-7A15-488D-A6FB-0F34689AE9EB@microsoft.com...
> We have an MCMS 2002 based website with CMS formsauthentication and users
> stored in AD.
>
> We have a requirement that users in AD can be renamed programmatically.
> When
> a user has been renamed and afterwards logs on to the site, the
> HttpContext.Current.User has wrongly been assigned to the old username
> (the
> username before the rename).
>
> After some investigation I found out that the usernames are stored in the
> AEUser mcms database table along with their SID.
> I suspect that the CMS authentication module somehow looks up the users
> SID
> based on the given username and creates an cms auth ticket.
> Unfortunately the relation between the SID and the username has changed
> due
> to the rename which CMS is not aware of and therefore the
> HttpContext.Current.User gets assigned with the wrong username.
>
>
> I've tried the "Synchronize" functionality in Site Manager with no luck.
>
> I've tried an IISRESET with no luck.
>
> I've tried to clear the memory cache via server configuration
> application -
> and again with no luck.
>
>
> As updating the MCMS database is not an option, can someone tell me if
> this
> is a bug/by design and if there is a workaround (other than don't do the
> renaming)?
>
> Thanks.
>
>
>
> Some details about the implementation:
>
> When renaming the user in AD, the following properties are changed; CN,
> sAMAccountname, userPrincipalName.
>
> When a user logs on to the site, his username and password are checked
> against the AD via System.DirectoryServices. If username and password
> matches
> up, a cms authentication ticket is created using the cms authentication
> module.
>
> The users are not directly tied up with an MCMS rights group - mcms rights
> are given by assigning a user to AD security groups.
|
|
|
|
|