Basic Authentication Allows Validation Using Old Password

ID: Q210992

The information in this article applies to:

Microsoft Windows NT Server version 4.0
Microsoft Internet Information Server 4.0
Microsoft Windows 2000 Advanced Server

SYMPTOMS

After you change a user's domain password in User Manager for Domains, the user may be able to gain access to a Web-based program running on Internet Information Server (IIS) version 4.0 using the old password.

CAUSE

When you change a user's password in User Manager for Domains, it takes about 5-15 minutes for the old password to stop working. The new password begins to work immediately, so for a 5-15 minute interval, both passwords can be used to gain access to the Web site. Both passwords work on any Web browser running on any computer. This behavior occurs because user token information is cached for up to 15 minutes by default.

When all IIS services are stopped and then started after changing the password, the behavior still occurs.

Note that Windows NT login stops accepting the old password immediately. This situation occurs only with authentications performed by IIS.

This behavior is not related to the replication of account information between primary and backup domain controllers.

RESOLUTION

To work around this behavior, you can restart the server on which you changed the password.

STATUS

This behavior is by design.

Additional query words:

Keywords : kbenv ntsecurity
Version : WINDOWS:2000; winnt:4.0
Platform : WINDOWS winnt
Issue type : kbprb