Solved

LDAP authentication and cached passwords

Posted on 2007-11-28
4
477 Views
Last Modified: 2013-12-04
Have a couple of applications that use the global catalog port 3289 to validate user logins and found that if user has changed their password, that their old password will still allow them to login for 2 - 10 hours after.  They cannot use the old password to login to Windows or Exchange.  Is this cached somewhere in the LDAP environment as a "grace" login, is it a replication setting till all DC have received the new object info?  
0
Comment
Question by:Lombwar
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
Documented change in 2K3 SP1.  Auth via LDAP with DN must not considered “Interactive logon” and therefore follows the rule that was implemented in Server 2003 SP1 that allows for the old password to be used for 1 hour after password change.

Samaccount name authorization via LDAP must be considered interactive logon, and therefore requires only the new password to work.

The KB reference that might explain it is http://support.microsoft.com/kb/906305
0
 

Author Comment

by:Lombwar
Comment Utility
Even if we are at Service pack 2 of 2003 I am guessing that this is still set for a default of 60 minutes unless you add the entry to change the default?

This would make sense as one of the other servers that is still at 2000 when users authenticate to that this condition did not exist, so it appears to be what version of OS your authentication server is running, we also did not see this in other regions still running Win2k
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 125 total points
Comment Utility
Correct.  Behaviour exists in SP1 or later.
0
 

Author Closing Comment

by:Lombwar
Comment Utility
Thanks for the quick response
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now