Symptoms

  • A user has previously authenticated via AD FS 2.0
  • The user's name has changed, such as samAccountName or UPN.
  • After the name change, the user does not receive the expected output set of claims from AD FS 2.0



Cause

  • The Local Security Authority (LSA) on the AD FS 2.0 server(s) holds a cache of user name to security identifier (SID) translation information. The entry for the old user name is present in the cache, which causes the change in output claim set from AD FS 2.0 for this user. 


Resolution

  • To clear the LSA user name to SID translation cache, either reboot the AD FS 2.0 server(s), or follow the guidance for the  LsaLookupCacheMaxSize registry key per the following Knowledge Base article:

946358 The LsaLookupSids function may return the old user name instead of the new user name if the user name has changed on a domain controller
http://support.microsoft.com/default.aspx?scid=kb;EN-US;946358