LDAP bind allowing old password for 1 hour

Giganews Newsgroups
Subject: LDAP bind allowing old password for 1 hour
Posted by:  AlanAlbany (alanAlbany@nospam.nospam)
Date: Thu, 22 May 2008

We are implementing a Single Sign On (SSO) solution that is using LDAP bind
to an Active Directory authentication domain as its means of authenticating
a user. We have discovered that a SSO user can autheticate with their old
password for one hour after the password has been changed. Other means of
authentication to the authenication domain are not allowing this one hour
grace period. Since adminstratively changing the password is our method of
locking out an account, this one hour grace period is not acceptable. Is
there a way of reducing it similar to the registry change given in KB906305
for a similar issue with NTLM authentication? We have tried making the
registry change  in KB906305 by defining
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OldPasswordAllowedPeriod
as a DWORD with the value of 1 but the LDAP bind with the old password is
still working for up to one hour (even after a reboot of the domain
controller). (Note we are testing using a domain with a single domain
controller so replication delays between domain controllers can be ruled
out.) The following is a test VBscript that can be used to replicate the
problem once customised to the domain being used for testing.

[CODE]
const MyDomainFull = "ADserver.ad.com"
set MyRootDSE = GetObject("LDAP://" & MyDomainFull & "/RootDSE")

MyRootDN = MyRootDSE.Get("defaultNamingContext")

Set MyConn = CreateObject("ADODB.Connection")
MyConn.Provider = "ADsDSOObject"
MyConn.Properties("User ID") = "CN=MyUser,OU=users,DC=ADserver,DC=ad,DC=com"
MyConn.Properties("Password") = "MyPwd"
MyConn.open "ADSI"

MyLDAPStr = _
        "<LDAP://" & MyDomainFull & "/ou=users," & MyRootDN & ">;" & _
        "(&(objectCategory=person)(objectClass=user)(cn=MyUser))" & _
        ";cn,mail;subtree"

Set MyRS = MyConn.Execute(MyLDAPStr)

If Not MyRS.EOF  Then
  wscript.echo "Not end of file"
  MyMail = MyRS.Fields("mail")
  wscript.echo MyMail
  wscript.echo MyRS.Fields("cn")
Else
  wscript.echo "- record not found in AD"
End If

MyRS.Close
MyConn.Close

Wscript.Quit
[/CODE]

Replies