LDAP bind allowing old password for 1 hour

We are implementing a Single Sign On (SSO) solution that is using LDAP bind
to an Active Directory authentication domain as its means of authenticating
a user. We have discovered that a SSO user can autheticate with their old
password for one hour after the password has been changed. Other means of
authentication to the authenication domain are not allowing this one hour
grace period. Since adminstratively changing the password is our method of
locking out an account, this one hour grace period is not acceptable. Is
there a way of reducing it similar to the registry change given in KB906305
for a similar issue with NTLM authentication? We have tried making the
registry change in KB906305 by defining
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OldPasswordAllowedPeriod
as a DWORD with the value of 1 but the LDAP bind with the old password is
still working for up to one hour (even after a reboot of the domain
controller). (Note we are testing using a domain with a single domain
controller so replication delays between domain controllers can be ruled
out.) The following is a test VBscript that can be used to replicate the
problem once customised to the domain being used for testing.

[CODE]
const MyDomainFull = "ADserver.ad.com"
set MyRootDSE = GetObject("LDAP://"; & MyDomainFull & "/RootDSE")

MyRootDN = MyRootDSE.Get("defaultNamingContext")

Set MyConn = CreateObject("ADODB.Connection")
MyConn.Provider = "ADsDSOObject"
MyConn.Properties("User ID") = "CN=MyUser,OU=users,DC=ADserver,DC=ad,DC=com"
MyConn.Properties("Password") = "MyPwd"
MyConn.open "ADSI"

MyLDAPStr = _
"<LDAP://"; & MyDomainFull & "/ou=users," & MyRootDN & ">;" & _
"(&(objectCategory=person)(objectClass=user)(cn=MyUser))" & _
";cn,mail;subtree"

Set MyRS = MyConn.Execute(MyLDAPStr)

If Not MyRS.EOF Then
wscript.echo "Not end of file"
MyMail = MyRS.Fields("mail")
wscript.echo MyMail
wscript.echo MyRS.Fields("cn")
Else
wscript.echo "- record not found in AD"
End If

MyRS.Close
MyConn.Close

Wscript.Quit
[/CODE]



.

Relevant Pages

  • Re: A newbie question on SSO
    ... First time he/she is redirected to SSO ... I want to redirect to a page saying you have no access. ... > Here is a post that will show you SSO with Forms Authentication. ... >> which does authentication and retrieves list of applications and its ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Sign across portal sites
    ... We are able to use SSO between Portal and other 3rd party applications ... to acheive SSO between two sharpoint portal sites. ... lies in acheiving SSO to windows authentication based applications. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Sign across portal sites
    ... We are able to use SSO between Portal and other 3rd party applications ... to acheive SSO between two sharpoint portal sites. ... lies in acheiving SSO to windows authentication based applications. ...
    (microsoft.public.sharepoint.portalserver)
  • RE: Authentication solution
    ... But, the SSO solutions are ... Even if you choose to keep numerous authentication ... If the app within the app is configured to use the same token, ... any thoughts on how to implement a secure SSO solution when you have ...
    (Security-Basics)
  • Re: A newbie question on SSO
    ... Here is a post that will show you SSO with Forms Authentication. ... > which does authentication and retrieves list of applications and its ... > When the user requests a new web application (ie., ...
    (microsoft.public.dotnet.framework.aspnet.security)
Loading