Basic Authentication Allows Validation Using Old Password

This article was previously published under Q210992
This article has been archived. It is offered "as is" and will no longer be updated.
After you change a user's domain password in User Manager for Domains, the user may be able to gain access to a Web-based program running on Internet Information Server (IIS) version 4.0 using the old password.
When you change a user's password in User Manager for Domains, it takes about 5-15 minutes for the old password to stop working. The new password begins to work immediately, so for a 5-15 minute interval, both passwords can be used to gain access to the Web site. Both passwords work on any Web browser running on any computer. This behavior occurs because user token information is cached for up to 15 minutes by default.

When all IIS services are stopped and then started after changing the password, the behavior still occurs.

Note that Windows NT login stops accepting the old password immediately. This situation occurs only with authentications performed by IIS.

This behavior is not related to the replication of account information between primary and backup domain controllers.
To work around this behavior, you can restart the server on which you changed the password.
This behavior is by design.

Article ID: 210992 - Last Review: 01/09/2015 17:02:11 - Revision: 2.2

Microsoft Windows 2000 Advanced Server, Microsoft Windows NT Server 4.0 Standard Edition, Microsoft Internet Information Server 4.0

  • kbnosurvey kbarchive kbenv kbprb KB210992