Description

When the SSO Server is using a Windows 2003SP1 AD datastore as its user repository, after an AD user password change the SSO user can authenticate using LDAP authentication with both the old and new passwords to login the SSO Client.

This problem happens only on Windows 2003SP1 and later. It does not occur on Windows 2000.

Solution

There is a Microsoft Article (Article ID: 906305) which describes a similar problem for "Windows Server 2003 Service Pack 1 that modifies NTLM network authentication behavior".

You can find it on:http://support.microsoft.com/kb/906305/en-us

In the article, it states the following:

Microsoft Windows Server 2003 Service Pack 1 (SP1) modifies NTLM network authentication behavior. After you install Windows Server 2003 SP1, domain users can use their old password to access the network for one hour after the password is changed. Existing components that are designed to use Kerberos for authentication are not affected by this change.

The problem in the article listed is the exact same problem the SSO LDAP authentication would be affected by. If you want to change the behavior and to change the lifetime period of old password, please follow the steps in "How to change the lifetime period of an old password" section of above Microsoft article.