Basic Authentication Allows Validation Using Old Password

Article translations Article translations
Article ID: 210992 - View products that this article applies to.
This article was previously published under Q210992
Expand all | Collapse all

SYMPTOMS

After you change a user's domain password in User Manager for Domains, the user may be able to gain access to a Web-based program running on Internet Information Server (IIS) version 4.0 using the old password.

CAUSE

When you change a user's password in User Manager for Domains, it takes about 5-15 minutes for the old password to stop working. The new password begins to work immediately, so for a 5-15 minute interval, both passwords can be used to gain access to the Web site. Both passwords work on any Web browser running on any computer. This behavior occurs because user token information is cached for up to 15 minutes by default.

When all IIS services are stopped and then started after changing the password, the behavior still occurs.

Note that Windows NT login stops accepting the old password immediately. This situation occurs only with authentications performed by IIS.

This behavior is not related to the replication of account information between primary and backup domain controllers.

RESOLUTION

To work around this behavior, you can restart the server on which you changed the password.

STATUS

This behavior is by design.

Properties

Article ID: 210992 - Last Review: February 20, 2007 - Revision: 2.2
APPLIES TO
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Internet Information Server 4.0
Keywords: 
kbenv kbprb KB210992

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com