Layer 7 Privileged Access Management

Expand all | Collapse all

Users can authenticate with old and new AD password simateously

Jump to Best Answer
  • 1.  Users can authenticate with old and new AD password simateously

    Posted 08-26-2019 05:33 AM
    Hi,

    we are using Active Directory authentication with CA PAM 3.2.3. We have done some tests with password changes.
    After user has changed his password he can login with both (old and new) passwords. This possibility took some time. After several minutes user was able to login only with the new password.

    Has someone any idea what is in background of this behavior? How to disable it?

    Thank All for hints,

    ------------------------------
    Lukas
    ------------------------------


  • 2.  RE: Users can authenticate with old and new AD password simateously

    Posted 08-26-2019 09:26 AM
    Hi Lukas,

    - How was the password changed, meaning from CA PAM or directly in AD
    - After the password change was is synchronized in CA PAM
    - what is the AD you are using, 2012, 2016?

    Thanks,
    Reatesh.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 3.  RE: Users can authenticate with old and new AD password simateously
    Best Answer

    Posted 08-28-2019 04:29 AM
    As wrote me Mike Berthold,

    seems that the problem originates in Domain Controller registry settings:

    "There is a registry setting on the Domain Controllers defining how long an old password remains valid after a password change, at least for NTLM authentication: https://support.microsoft.com/en-ca/help/906305/new-setting-modifies-ntlm-network-authentication-behavior"


  • 4.  RE: Users can authenticate with old and new AD password simateously

    Posted 08-28-2019 10:50 AM
    Hi Lukas,

    That's great news. Glad to help. 

    Take care,
    Mike

    ------------------------------
    Mike Berthold
    Solution Architect
    ------------------------------