Microsoft KB Archive/210992

= Basic Authentication Allows Validation Using Old Password =

Article ID: 210992

Article Last Modified on 2/20/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q210992



SYMPTOMS
After you change a user's domain password in User Manager for Domains, the user may be able to gain access to a Web-based program running on Internet Information Server (IIS) version 4.0 using the old password.



CAUSE
When you change a user's password in User Manager for Domains, it takes about 5-15 minutes for the old password to stop working. The new password begins to work immediately, so for a 5-15 minute interval, both passwords can be used to gain access to the Web site. Both passwords work on any Web browser running on any computer. This behavior occurs because user token information is cached for up to 15 minutes by default.

When all IIS services are stopped and then started after changing the password, the behavior still occurs.

Note that Windows NT login stops accepting the old password immediately. This situation occurs only with authentications performed by IIS.

This behavior is not related to the replication of account information between primary and backup domain controllers.



RESOLUTION
To work around this behavior, you can restart the server on which you changed the password.



STATUS
This behavior is by design.

Keywords: kbenv kbprb KB210992

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.