System error following account name change

After a user name has been changed on an Active Directory domain controller a SecureAuth appliance displays the following error "System Error: We are unable to continue at this time because of uncommitted user account changes. Please log off your system, log back in, and try again." when trying to authenticate the affected user account.

This error can be generated when the affected user account has become stored in the LSA Lookup Cache on the appliance prior to being modified. In this scenario, the LsaLookupSids function may return the old user name instead of the new user name as the domain controllers are never queried. The cache entries do time out, however chances are that with recurring queries the existing cache entry will survive for the maximum lifetime of the entry. By default the expiry for an LSA Cache entry is 10080 minutes which means the appliance might not see the account change for up to 7 days.

To address the issue immediately the following actions can be taken:

If this issue is a recurring problem the following steps can be taken to change the behavior of the LSA Lookup Cache

The expiry for an LSA Cache Entry can be set lower by adding a registry key to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

LsaLookupCacheExpireTime (DWORD). The time to live of an entry in the cache in minutes. The default is 10080

SecureAuth recommends that this key be set to no less than 720 minutes (12 hours). If set to a lower value an unexpected activity increase can occur on the AD DCs and slow SecureAuth application performance.