IIS Digest Authentication and Domain Password Changes

From: "Joe Cormane" <nobody@xxxxxxxxxxx>
Date: Fri, 8 Feb 2008 11:02:32 -0600

I have a security scenario where people in remote offices change their
passwords then attempt to connect to an IIS-hosted application at my site
before the replication interval. I know that windows polls the PDC emulator
to see if password changes have occurred, however, I wasn't sure if IIS does
the same thing or if it could be configured to do so. Currently we are
using Digest authentication. No realm is specified if that makes a
difference.

I just want to ensure that the remote users don't end up locked-out in the
event that they have changed passwords and get impatient. I also don't want
to force a bunch of unnecessary replication just for an event that occurs
once every 90 days.

.

Follow-Ups:
- Re: IIS Digest Authentication and Domain Password Changes
  - From: Ken Schaefer

Prev by Date: Re: Migration to new hardware
Next by Date: Re: Migration to new hardware
Previous by thread: RE: Migration to new hardware
Next by thread: Re: IIS Digest Authentication and Domain Password Changes
Index(es):
- Date
- Thread

Relevant Pages

Re: machines cant update their machine account passwords
... "I can't post logs or command output because I'm not at work and can't post when I'm at work anyway. ... passwords in ADS. ... FRS errors and replication errors, ... Are there any GPO settings that can ...
(microsoft.public.windows.server.active_directory)
machines cant update their machine account passwords
... So eventually when it comes time for them to be changed by the machine and they attempt to use their new password ADS will deny them access. ... For some reason though after about 2 months I started having the same problems: machines can't get GPO updates, FRS errors and replication errors, and authentication denials. ... I can temporarily fix it by using ADS to reset machine account passwords but if I do that twice then things go to hell in a hand basket. ... My DNS settings are fine, Kerberos is fine, NTP got a little wacky on our network the last couple days but machines are still within their 5 min tolerance with the ADS servers, and we haven't changed anything within the domain itself (especially GPO settings) because we are in configuration lockdown for test purposes. ...
(microsoft.public.windows.server.active_directory)
Re: Configuring ADAM replication resets passwords
... resetting of user passwords is not expected behavior on configuring ... after you configure replication which ADAM instance is your ... being valid did you restore the ADAM instance to the same server? ...
(microsoft.public.windows.server.active_directory)
Re: machines cant update their machine account passwords
... Not to mention it won't fix the DCs because if they can't replicate then resetting their passwords will just make them forever out of sync and never be able to establish their secure channel and will lead to a rebuild. ... I removed ADS and reinstalled ADS, and I actually had to do it on both machines now that I think about it but just doing it on one didn't fix the problem. ... FRS errors and replication errors, ... Are there any GPO settings that can ...
(microsoft.public.windows.server.active_directory)
Re: Question - Can I force a machine to use a specific DC for Authentication
... If they are in one site passwords are updated immediately between the DC's, if they in different sites the lowest replication time is 15 minutes configurable in ADSS. ... So even to set the proxy to one fixed DC will not help if the user is in a different site then that DC. ... hence I want to force the proxy to authenticate to HODC1. ...
(microsoft.public.windows.server.general)