RE: LDAP bind allowing old password for 1 hour

Hello,

Thank you for your post.

Based on my research, to resolve this old password not expiring issue, you
need to defining the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OldPasswordAllowedPe
riod as a DWORD with the value of 0.

As you mentioned in your email that you had changed this value to 1, so
please try changing this value to 0 and have another test to see whether
this will make any difference.

Moreover, as KB 906305 applies only to Windows Server 2003 with SP1, please
ensure you have installed SP1 on your server before doing the test.

Thanks and I look forward to hearing from you soon.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "AlanAlbany" <alanAlbany@xxxxxxxxxxxxx>
| Subject: LDAP bind allowing old password for 1 hour
| Date: Thu, 22 May 2008 11:58:30 +0800
| Lines: 54
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
| X-RFC2646: Format=Flowed; Original
| Message-ID: <OdADbA8uIHA.748@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.active_directory
| NNTP-Posting-Host: adm332.admin.uwa.edu.au 130.95.230.180
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.active_directory:42624
| X-Tomcat-NG: microsoft.public.windows.server.active_directory
|
| We are implementing a Single Sign On (SSO) solution that is using LDAP
bind
| to an Active Directory authentication domain as its means of
authenticating
| a user. We have discovered that a SSO user can autheticate with their old
| password for one hour after the password has been changed. Other means of
| authentication to the authenication domain are not allowing this one hour
| grace period. Since adminstratively changing the password is our method
of
| locking out an account, this one hour grace period is not acceptable. Is
| there a way of reducing it similar to the registry change given in
KB906305
| for a similar issue with NTLM authentication? We have tried making the
| registry change in KB906305 by defining
|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OldPasswordAllowedPe
riod
| as a DWORD with the value of 1 but the LDAP bind with the old password is
| still working for up to one hour (even after a reboot of the domain
| controller). (Note we are testing using a domain with a single domain
| controller so replication delays between domain controllers can be ruled
| out.) The following is a test VBscript that can be used to replicate the
| problem once customised to the domain being used for testing.
|
| [CODE]
| const MyDomainFull = "ADserver.ad.com"
| set MyRootDSE = GetObject("LDAP://"; & MyDomainFull & "/RootDSE")
|
| MyRootDN = MyRootDSE.Get("defaultNamingContext")
|
| Set MyConn = CreateObject("ADODB.Connection")
| MyConn.Provider = "ADsDSOObject"
| MyConn.Properties("User ID") =
"CN=MyUser,OU=users,DC=ADserver,DC=ad,DC=com"
| MyConn.Properties("Password") = "MyPwd"
| MyConn.open "ADSI"
|
| MyLDAPStr = _
| "<LDAP://"; & MyDomainFull & "/ou=users," & MyRootDN & ">;" & _
| "(&(objectCategory=person)(objectClass=user)(cn=MyUser))" & _
| ";cn,mail;subtree"
|
| Set MyRS = MyConn.Execute(MyLDAPStr)
|
| If Not MyRS.EOF Then
| wscript.echo "Not end of file"
| MyMail = MyRS.Fields("mail")
| wscript.echo MyMail
| wscript.echo MyRS.Fields("cn")
| Else
| wscript.echo "- record not found in AD"
| End If
|
| MyRS.Close
| MyConn.Close
|
| Wscript.Quit
| [/CODE]
|
|
|
|

.

Relevant Pages

  • Re: Remote access to FP Administration fails
    ... I already found the KB article on disabling the loopback check and had made ... Switching to basic authentication does work. ... > Possible FIX from KB 896861: This issue occurs if you install Microsoft ... In Registry Editor, locate and then click the following registry key: ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Unable to start the RRAS service
    ... Authentication Requests in a Timely Fashion ... Server That Is Running Routing and Remote Access ... >>> modifying the registry. ... >>> Microsoft Knowledge ...
    (microsoft.public.win2000.ras_routing)
  • Re: LDAP bind allowing old password for 1 hour
    ... using Kerberos for authentication instead of NTLM. ... with NTLM login, so changing can have other consequences. ... Microsoft Global Technical Support Center ... | registry change in KB906305 by defining ...
    (microsoft.public.windows.server.active_directory)
  • Re: error 0x85010004 on wm5 with exchange sp1
    ... this issue occurs when the related settings in IIS is ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Select Edit in Authentication and access control box. ...
    (microsoft.public.windows.server.sbs)
  • Re: Question For Any FrontPage Users Publishing Webs from SBS 2003
    ... | Subject: Re: Question For Any FrontPage Users Publishing Webs from SBS ... Produced By Microsoft MimeOLE V6.00.2900.2670 ... Please disable request authentication on ISA to allow the anonymous ... |> Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)