System error following account name change
Symptom
After a user name has been changed on an Active Directory domain controller a SecureAuth appliance displays the following error "System Error: We are unable to continue at this time because of uncommitted user account changes. Please log off your system, log back in, and try again." when trying to authenticate the affected user account.
Cause
This error can be generated when the affected user account has become stored in the LSA Lookup Cache on the appliance prior to being modified. In this scenario, the LsaLookupSids function may return the old user name instead of the new user name as the domain controllers are never queried. The cache entries do time out, however chances are that with recurring queries the existing cache entry will survive for the maximum lifetime of the entry. By default the expiry for an LSA Cache entry is 10080 minutes which means the appliance might not see the account change for up to 7 days.
Resolution
To address the issue immediately the following actions can be taken:
The maximum time an entry can be present in the LSA Lookup Cache, by default, is up to 7 days. Which means if it's possible to wait the problem will be resolved without administrative intervention.
A reboot of the appliance will clear the LSA Lookup Cache.
Follow the instructions in Microsoft KB 946358. Please note that after the cache has been disabled and the problem resolved SecureAuth recommends that the setting be immediately changed back to the default value of 128. Failure to change the setting back to default could cause an unexpected increase on the AD DCs and slow SecureAuth application performance.
If this issue is a recurring problem the following steps can be taken to change the behavior of the LSA Lookup Cache
The expiry for an LSA Cache Entry can be set lower by adding a registry key to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
LsaLookupCacheExpireTime (DWORD). The time to live of an entry in the cache in minutes. The default is 10080
SecureAuth recommends that this key be set to no less than 720 minutes (12 hours). If set to a lower value an unexpected activity increase can occur on the AD DCs and slow SecureAuth application performance.