nigelwhttp://blogs.technet.com/b/nigelw/atom.aspxTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)2013-01-23T11:51:00ZADFS logon issue "Your organization could not sign you into the service" 0x80041034 http://blogs.technet.com/b/nigelw/archive/2013/01/23/adfs-logon-issue-quot-your-organization-could-not-sign-you-into-the-service-quot-0x80041034.aspx2013-01-23T12:00:20Z2013-01-23T12:00:20Z<p><a href="http://support.microsoft.com/kb/2535191">http://support.microsoft.com/kb/2535191</a></p>
<p><a href="http://social.technet.microsoft.com/wiki/contents/articles/4110.ad-fs-2-0-claims-are-missing-from-the-output-claim-set-after-a-user-s-name-has-changed.aspx">http://social.technet.microsoft.com/wiki/contents/articles/4110.ad-fs-2-0-claims-are-missing-from-the-output-claim-set-after-a-user-s-name-has-changed.aspx</a></p>
<p>After a user rename in the local Active directory, (the samaccount name, or UPN prefix)<br />The user is unable to logon the error displayed in a dialog suggests "Your organization could not sign you into the service"<br />All other users are still able to logon only the users who have recently had there names chnged experience the issue.</p>
<p>Symptoms<br />• Federated logon fails for some users. Other users are fine. <br />• Embedded HR code is 0x80041034 (PP_E_INVALID_MEMBERNAME The specified member name is either invalid or empty)<br />• Samaccountname has changed recently for user<br />• Netmon trace on ADFS server(s) at repro shows LDAP query use wrong samacccountname</p>
<p>Cause<br /> <br />LSA cache on AD FS server(s) has stale entries for SID of the user. Therefore SID Domain\Old_Samaccountname instead of SID domain\current_samaccountname<br /> <br />The LDAP query performed for claim generation fails to return attributes as it gets not hit when searching by old samaccountname. Thus, ADFS issues an empty token without saml:attributestatement. So OrgID generate 0x80041034 (PP_E_INVALID_MEMBERNAME The specified member name is either invalid or empty)<br /> <br />Resolution<br /> <br />Disable SID cache temporarily using LsaLookupCacheMaxSize as per <a href="http://support.microsoft.com/kb/2535191">http://support.microsoft.com/kb/2535191</a> <br />You could also either <br />• reboot ADFS server<br />• Change samaccountname back to previous value in AD<br />• Use psgetsid.exe from sysinternals to update LSA cache on AD FS server(s)</p>
<p> </p>
<p> </p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3547773" width="1" height="1">nigelwoodhttp://blogs.technet.com/woodnj_4000_hotmail.com/ProfileUrlRedirect.ashxTechnical discussions on Office 365 / for shared services / the domains part of Office 365 / ADFS / Directory synchttp://blogs.technet.com/b/nigelw/archive/2013/01/23/technical-discussions-on-office-365-for-shared-services-the-domains-part-of-office-365-adfs-directory-sync.aspx2013-01-23T11:51:00Z2013-01-23T11:51:00Z<p>First blog</p>
<p>This blog is intended to cover the technologies I support as a Microsoft technical support engineer.</p>
<p>I work in the CTS team for Microsoft in the UK (EMEA), dealing with what we term as shared services (identity) related issues.</p>
<p>Issue relate to ADFS, Logon, Directory Sync, AD to Cloud issues, the areas where the Exchange / Lync / SharePoint teams do not cover.</p>
<p>I hope to blog on common issues I see with my technologies so hope that this information may be of use the anyone running into problems.</p>
<p>Thanks</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3547770" width="1" height="1">nigelwoodhttp://blogs.technet.com/woodnj_4000_hotmail.com/ProfileUrlRedirect.ashx