Thursday, February 25, 2010

Login into Sharepoint with old AD password

Recently I encountered with strange issue: users were able to login into Sharepoint with old password after their AD password was changed. Actually they were able to login both with old and new passwords. We use FBA with AD as users storage, i.e. users accounts and passwords are stored in Active Directory. So when user changes his password – he actually changes password in AD.

As membership provider we use OTB LdapMembershipProvider configured like this in web.config:

   1: <membership defaultProvider="fbaMembers">
   2:   <providers>
   3:     <add name="fbaMembers" type="Microsoft.Office.Server.Security.LdapMembershipProvider,
   4: Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
   5: server="localhost" port="389" useSSL="false" userDNAttribute="distinguishedName"
   6: userNameAttribute="userPrincipalName" userContainer="..."
   7: userObjectClass="person" userFilter="(|(ObjectCategory=group)(ObjectClass=person))"
   8: scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
   9:   </providers>
  10: </membership>

By1st look at the issue I thought that this is a bug. I tried to restart IIS, reopen browser – but user still was able to login with both passwords. I was sure that user’s password was changed successfully as I checked it with “Run As…” command – program could be run only if I specified new password in “Run As…” credentials window. More strange thing is that after some time old password became unusable, i.e. only new password remains valid for login into Sharepoint site.

After some investigation I found the following KB article which says that this behavior is actually by design:

“Microsoft Windows Server 2003 Service Pack 1 (SP1) modifies NTLM network authentication behavior. After you install Windows Server 2003 SP1, domain users can use their old password to access the network for one hour after the password is changed.

The lifetime period of the old password can be configured by editing the registry on a domain controller. No restart is required for this registry change to take effect

Note The lifetime period is set in minutes. If this registry value is not set, the default lifetime period for an old password is 60 minutes”

I.e. LdapMembershipProvider treats old password as valid password for authentication during 1 hour by default after password was changed.

No comments:

Post a Comment