A user just came to me to say he changed his password and then noticed that he can log into OWA using both the old and new password.
I had him try it on my computer and it would not allow him to do it, so I just told him to go clear his cache, thinking it was just strange voodoo that would go away.
He came back to me again and said if he logged in user domain\user then it would only work with his new password, but if used user@domain as the username, then he could log in with both passwords.
I had him show me on my machine and sure enough, it was true. I assume he was using his old and new password and have no reason to not believe him.
The only thing I could think was that he was authenticating using 2 different DCs that hadn't synchronized, but we only have one mail server and I can't see the browser going out through a remote site VPN to authenticate and then come back here to access the exchange server.
Any thoughts on this?