search cancel

Password change allow usage of old password for 5 min Policy Server

book

Article ID: 229577

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running a Policy Server, even if a given user has changed its
password, it can still use the old password to login into the
application as well as the new password for 5 minutes after the
password change. So for 5 minutes, the user has 2 valid passwords.

This happens with the self change password in which the user receives
a temporary password.

 

Cause

 

The issue is due to the OldPasswordAllowedPeriod parameter value on
Active Directory User Store registry (1).

 

Resolution

 

- Configure OldPasswordAllowedPeriod to solve this issue;

 

Additional Information

 

(1)

    New setting modifies NTLM network authentication behavior

      Domain users can use their old password to access the network for
      one hour after the password is changed.

      The lifetime period of the old password can be configured by editing
      the registry on a domain controller. No restart is required for this
      registry change to take effect.

    https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/new-setting-modifies-ntlm-network-authentication