User can log into OWA using old password if username entered as user@domain

A user just came to me to say he changed his password and then noticed that he can log into OWA using both the old and new password.

I had him try it on my computer and it would not allow him to do it, so I just told him to go clear his cache, thinking it was just strange voodoo that would go away.

He came back to me again and said if he logged in user domain\user then it would only work with his new password, but if used user@domain as the username, then he could log in with both passwords.

I had him show me on my machine and sure  enough, it was true.  I assume he was using his old and new password and have no reason to not believe him.

The only thing I could think was that he was authenticating using 2 different DCs that hadn't synchronized, but we only have one mail server and I can't see the browser going out through a remote site VPN to authenticate and then come back here to access the exchange server.

Any thoughts on this?
LVL 1
Sys_Admin1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
There is a cache setting in IIS / OWA
http://support.microsoft.com/kb/152526

When the user authenticates, he or she is given a token that is valid for a certain window.
So you have two potential things here:
1. A Global Catalog that has not yet caught up
2. The Token has not yet expired on the OWA server.

Here is some additional reading on this which should help.


http://www.techrepublic.com/article/why-does-my-old-password-work-via-activesync/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sys_Admin1Author Commented:
Thanks.  Here is another KB I found, which seems to be the same information.  http://support.microsoft.com/kb/267568

I'm currently running Exchange 2013 running on server 2012R2, with IIS 8.5
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.