Recently a user changed their password through Outlook Web Access and noticed that they were able to continue logging into OWA with both the old and new passwords.
One of our IT personnel reset the account password through one of our AD controllers using the Users and Computers Snapin, thinking there was an issue with OWA's change password feature, but both passwords could still be used in OWA.
The user logged off the workstation and found they were unable to use the old password and could only login with the new one. When they logged on with the new password they were still able to login to OWA with both passwords.
At first I thought maybe we had a replication issue with our AD controllers, but I ran repadmin and dcdiag on all three and no issues were found.
I tried restarting the Exchange services on the CAS server, but it still allowed both passwords in OWA. I tried restarting the IIS service on the CAS server and it stopped allowing the old password and only allowed the new one.
I'm assuming IIS on the CAS server is caching the old password and will eventually time out and only allow the new one? Assuming this is the case is it possible to disable this caching feature in order to prevent this from happening again?