Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

LDAP authentication and cached passwords

Posted on 2007-11-28
4
Medium Priority
?
505 Views
Last Modified: 2013-12-04
Have a couple of applications that use the global catalog port 3289 to validate user logins and found that if user has changed their password, that their old password will still allow them to login for 2 - 10 hours after.  They cannot use the old password to login to Windows or Exchange.  Is this cached somewhere in the LDAP environment as a "grace" login, is it a replication setting till all DC have received the new object info?  
0
Comment
Question by:Lombwar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20367984
Documented change in 2K3 SP1.  Auth via LDAP with DN must not considered “Interactive logon” and therefore follows the rule that was implemented in Server 2003 SP1 that allows for the old password to be used for 1 hour after password change.

Samaccount name authorization via LDAP must be considered interactive logon, and therefore requires only the new password to work.

The KB reference that might explain it is http://support.microsoft.com/kb/906305
0
 

Author Comment

by:Lombwar
ID: 20368218
Even if we are at Service pack 2 of 2003 I am guessing that this is still set for a default of 60 minutes unless you add the entry to change the default?

This would make sense as one of the other servers that is still at 2000 when users authenticate to that this condition did not exist, so it appears to be what version of OS your authentication server is running, we also did not see this in other regions still running Win2k
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 375 total points
ID: 20368247
Correct.  Behaviour exists in SP1 or later.
0
 

Author Closing Comment

by:Lombwar
ID: 31411495
Thanks for the quick response
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question