We have a situation, due to a recent employee name change, where the HttpContext.Current.User.Identity.Name property of an ASP.NET web application resolves to the old username. This has been discussed in great detail here, here, and again here. Resetting the LsaLookupCacheMaxSize for the LsaLookupSids function to zero will apparently resolve this problem.
Odd thing for us is, of the many web applications we have (all intranet - windows authentication - IIS 7.5 - ASP.NET) the only one that denies access to recently renamed employees is the one that has the Negotiate provider sitting above NTLM in the IIS Windows Authentication provider list.
The web sites with NTLM on top do not have this problem.
My question is: Does NTLM bypass the LSA SID cache on the web servers and authenticate directly with the domain controller?
