Old and new Password are valid after a change - why?
Created 2001-02-6 by Rainer
We are trying out Password Manager and see a bit of a curiosity: when
we change a password using Password Manager, the new and the old password are
valid. How does this come and what can we do to prevent this?
Answer from Adiscon: When we developed PasswordManager, we
were a bit astonished to find out that not only NT needs some time to replicate
the change (that was expected) but also IIS caches the new and the old
password for what looks like 30 minutes. During this period, both passwords are
valid if used on the very same machine password manager runs on. If you try to
connect from a different machine, the old password might also be valid,
depending on the status of Windows security replication.
You can simply verify that IIS is caching the password. In a test
environment, change a password with Password Manager. Then try the old one - it
will work. Now shut down the IIS and restart it. Now the old password won't work
any longer. Now change another password. Let the machine run untouched for
another 40 minutes. The old password won't be valid again.
This delay results both from IIS internal credential caching as well as
domain controller security replication. There is a Microsoft
knowledge base article on the internal credential caching and on how to