Symantec Privileged Access Management

Hi,

we are using Active Directory authentication with CA PAM 3.2.3. We have done some tests with password changes.
After user has changed his password he can login with both (old and new) passwords. This possibility took some time. After several minutes user was able to login only with the new password.

Has someone any idea what is in background of this behavior? How to disable it?

Thank All for hints,

------------------------------
Lukas
------------------------------

Hi Lukas,

- How was the password changed, meaning from CA PAM or directly in AD
- After the password change was is synchronized in CA PAM
- what is the AD you are using, 2012, 2016?

Thanks,
Reatesh.

------------------------------
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 08-26-2019 05:33 AM
From: Lukas Lences
Subject: Users can authenticate with old and new AD password simateously

Hi,

we are using Active Directory authentication with CA PAM 3.2.3. We have done some tests with password changes.
After user has changed his password he can login with both (old and new) passwords. This possibility took some time. After several minutes user was able to login only with the new password.

Has someone any idea what is in background of this behavior? How to disable it?

Thank All for hints,

------------------------------
Lukas
------------------------------

As wrote me Mike Berthold,

seems that the problem originates in Domain Controller registry settings:

"There is a registry setting on the Domain Controllers defining how long an old password remains valid after a password change, at least for NTLM authentication: https://support.microsoft.com/en-ca/help/906305/new-setting-modifies-ntlm-network-authentication-behavior"
Original Message:
Sent: 08-26-2019 05:33 AM
From: Lukas Lences
Subject: Users can authenticate with old and new AD password simateously

Hi,

we are using Active Directory authentication with CA PAM 3.2.3. We have done some tests with password changes.
After user has changed his password he can login with both (old and new) passwords. This possibility took some time. After several minutes user was able to login only with the new password.

Has someone any idea what is in background of this behavior? How to disable it?

Thank All for hints,

------------------------------
Lukas
------------------------------

Hi Lukas,

That's great news. Glad to help. 

Take care,
Mike

------------------------------
Mike Berthold
Solution Architect
------------------------------

Original Message:
Sent: 08-28-2019 04:28 AM
From: Lukas Lences
Subject: Users can authenticate with old and new AD password simateously

As wrote me Mike Berthold,

seems that the problem originates in Domain Controller registry settings:

"There is a registry setting on the Domain Controllers defining how long an old password remains valid after a password change, at least for NTLM authentication: https://support.microsoft.com/en-ca/help/906305/new-setting-modifies-ntlm-network-authentication-behavior"
Original Message:
Sent: 08-26-2019 05:33 AM
From: Lukas Lences
Subject: Users can authenticate with old and new AD password simateously

Hi,

we are using Active Directory authentication with CA PAM 3.2.3. We have done some tests with password changes.
After user has changed his password he can login with both (old and new) passwords. This possibility took some time. After several minutes user was able to login only with the new password.

Has someone any idea what is in background of this behavior? How to disable it?

Thank All for hints,

------------------------------
Lukas
------------------------------