WordPress.org

Ready to get started?Download WordPress

Forums

Active Directory Integration
[resolved] Old password still works on AD password change (5 posts)

  1. jwhoward
    Member
    Posted 2 years ago #

    First off let me say. Great plug-in! It works excellent.

    Onto a small issue...

    After changing the password on our active directory for some reason a user can still log in to wordpress with both their old password and the newly changed password(attempting to log in to a workstation with their old password does not work).

    I have the following options enabled in the AD-Integration plugin: Automatic User Creation, Automatic User Update, Auto Update User Description, and Automatic Password Update.

    Is there a setting somewhere else that should be enabled? I have tried clearing the user out of the wp-users table and both passwords still work.

    http://wordpress.org/extend/plugins/active-directory-integration/

  2. Necos
    Member
    Posted 2 years ago #

    I have the same issue... and i could not resolve it.

    Someone have a solution?

  3. deenaik
    Member
    Posted 2 years ago #

    This is an Active Directory flaw, not an WordPress Application problem: You can refer customers to MS-KB Article ID 906305 http://support.microsoft.com/kb/906305 NTLM (NT LAN Manager) is a Microsoft authentication protocol used to authenticate clients in various Microsoft network protocol implementations, including Active Directory, Exchange Server services (POP3, IMAP, SMTP), SMB, etc. Windows 2003 Server Service Pack 1 modifies the NTLM network authentication behavior in such a way that users can use their old password to access network resources for a definite amount of time after the password is changed. This is also the case for LDAP authentication into Microsoft Active Directory. The period of time for which the old password will be active is configured by editing a registry key on the domain controller; its default value is set to an hour. This "feature" only applies to network access and to domain user accounts. The domain controller will not allow interactive logon with the old password. Which means, the old password is still good for mapping a network drive using IP address (when using a machine name - NTLM is not involved as Kerberos authentication occurs), logging into any application that uses NTLM, logging into Active Directory through LDAP functions, etc. This behavior is described in article 906305 of the Microsoft Knowledge Base. It is also noted in the article that no security weakness is caused by this kind of behavior as long as only one user knows both passwords.

  4. jwhoward
    Member
    Posted 2 years ago #

    deenaik,

    Thank you very much for the reply! You must be psychic or something... When I started this thread I was testing the plugin for a project... and on Friday I rolled out the project with the active directory plugin incorporated!

    Great information to have... Thanks again!

  5. glatze
    Member
    Plugin Author

    Posted 2 years ago #

    This is a feature of ADI, which can be deactivated since 1.1.3. See issue #50 on bugtracker: http://bt.ecw.de/view.php?id=50

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic