Old and new Password are valid after a change - why?

Created 2001-02-6 by Rainer Gerhards.

We are trying out Password Manager and see a bit of a curiosity: when  we change a password using Password Manager, the new and the old password are valid. How does this come and what can we do to prevent this?

Answer from Adiscon: When we developed PasswordManager, we were a bit astonished to find out that not only NT needs some time to replicate the change (that was expected) but also IIS caches the new and the old password for what looks like 30 minutes. During this period, both passwords are valid if used on the very same machine password manager runs on. If you try to connect from a different machine, the old password might also be valid, depending on the status of Windows security replication.

You can simply verify that IIS is caching the password. In a test environment, change a password with Password Manager. Then try the old one - it will work. Now shut down the IIS and restart it. Now the old password won't work any longer. Now change another password. Let the machine run untouched for another 40 minutes. The old password won't be valid again.

This delay results both from IIS internal credential caching as well as domain controller security replication. There is a Microsoft knowledge base article on the internal credential caching and on how to configure it.