Partilhar via


ADFS logon issue "Your organization could not sign you into the service" 0x80041034

https://support.microsoft.com/kb/2535191

https://social.technet.microsoft.com/wiki/contents/articles/4110.ad-fs-2-0-claims-are-missing-from-the-output-claim-set-after-a-user-s-name-has-changed.aspx

After a user rename in the local Active directory, (the samaccount name, or UPN prefix)
The user is unable to logon the error displayed in a dialog suggests  "Your organization could not sign you into the service"
All other users are still able to logon only the users who have recently had there names chnged experience the issue.

Symptoms
•         Federated logon fails for some users. Other users are fine.
•         Embedded HR code is 0x80041034 (PP_E_INVALID_MEMBERNAME The specified member name is either invalid or empty)
•         Samaccountname has changed recently for user
•         Netmon trace on ADFS server(s) at repro shows LDAP query use wrong samacccountname

Cause
 
LSA cache on AD FS server(s) has stale entries for SID of the user. Therefore SID ? Domain\Old_Samaccountname instead of SID ? domain\current_samaccountname
 
The LDAP query performed for claim generation fails to return attributes as it gets not hit when searching by old samaccountname. Thus, ADFS issues an empty token without saml:attributestatement. So OrgID generate 0x80041034 (PP_E_INVALID_MEMBERNAME The specified member name is either invalid or empty)
 
Resolution
 
Disable SID cache temporarily using LsaLookupCacheMaxSize as per https://support.microsoft.com/kb/2535191
You could also either
•         reboot ADFS server
•         Change samaccountname back to previous value in AD
•         Use psgetsid.exe from sysinternals to update LSA cache on AD FS server(s)