LDAP authentication and cached passwords

Have a couple of applications that use the global catalog port 3289 to validate user logins and found that if user has changed their password, that their old password will still allow them to login for 2 - 10 hours after.  They cannot use the old password to login to Windows or Exchange.  Is this cached somewhere in the LDAP environment as a "grace" login, is it a replication setting till all DC have received the new object info?  
LombwarAsked:
Who is Participating?
 
LauraEHunterMVPCommented:
Correct.  Behaviour exists in SP1 or later.
0
 
LauraEHunterMVPCommented:
Documented change in 2K3 SP1.  Auth via LDAP with DN must not considered “Interactive logon” and therefore follows the rule that was implemented in Server 2003 SP1 that allows for the old password to be used for 1 hour after password change.

Samaccount name authorization via LDAP must be considered interactive logon, and therefore requires only the new password to work.

The KB reference that might explain it is http://support.microsoft.com/kb/906305
0
 
LombwarAuthor Commented:
Even if we are at Service pack 2 of 2003 I am guessing that this is still set for a default of 60 minutes unless you add the entry to change the default?

This would make sense as one of the other servers that is still at 2000 when users authenticate to that this condition did not exist, so it appears to be what version of OS your authentication server is running, we also did not see this in other regions still running Win2k
0
 
LombwarAuthor Commented:
Thanks for the quick response
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.