Re: ADAM userproxy password anomolie?

From: Jims (biz_at_neocasa.net)
Date: 05/06/05

  • Next message: Jims: "AD password chnange anomolie" 
    Date: Thu, 5 May 2005 22:40:33 -0400

    Will do. Thanks Dimitri.

    "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
    news:OdWQMUcUFHA.3188@TK2MSFTNGP09.phx.gbl...
    > Curious. So, the same applies to direct binds to AD as well? But not for
    > interactive binds?
    >
    > If so, I suggest you start another thread here with a different subject.
    > Perhaps our AD MVPs will be able to shed some light on that.
    >
    > --
    > Dmitri Gavrilov
    > SDE, Active Directory Core
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    > Use of included script samples are subject to the terms specified at
    > http://www.microsoft.com/info/cpyright.htm
    >
    > "Jims" <biz@neocasa.net> wrote in message
    > news:ecCTmnbUFHA.928@TK2MSFTNGP15.phx.gbl...
    >> Pure LDAP for 2 out of 3 apps we've tested (PeoplseSoft web on Solaris
    >> and Softerra LDAP Administrator) and one in-house ADSI app.
    >> Jim
    >>
    >>
    >> "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
    >> news:%231zBGVbUFHA.3544@TK2MSFTNGP12.phx.gbl...
    >>> Pure LDAP or ADSI?
    >>>
    >>> --
    >>> Dmitri Gavrilov
    >>> SDE, Active Directory Core
    >>>
    >>> This posting is provided "AS IS" with no warranties, and confers no
    >>> rights.
    >>> Use of included script samples are subject to the terms specified at
    >>> http://www.microsoft.com/info/cpyright.htm
    >>>
    >>> "Jims" <biz@neocasa.net> wrote in message
    >>> news:%23LtfSTbUFHA.3056@TK2MSFTNGP14.phx.gbl...
    >>>> The issue only seems to affect ldap binds. We cannot reproduce this
    >>>> behavior when logging onto a workstation - only accepts the new
    >>>> password. AD replication appears to be ok but I will investigate
    >>>> further.
    >>>> Jim
    >>>>
    >>>>
    >>>> "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in
    >>>> message news:%23kcBnDbUFHA.1508@tk2msftngp13.phx.gbl...
    >>>>> Are you using LDAP or ADSI?
    >>>>> Does interactive logon with old pwd still work, when the workstation
    >>>>> is connected to the network?
    >>>>> Is AD replication ok?
    >>>>>
    >>>>> --
    >>>>> Dmitri Gavrilov
    >>>>> SDE, Active Directory Core
    >>>>>
    >>>>> This posting is provided "AS IS" with no warranties, and confers no
    >>>>> rights.
    >>>>> Use of included script samples are subject to the terms specified at
    >>>>> http://www.microsoft.com/info/cpyright.htm
    >>>>>
    >>>>> "Jims" <biz@neocasa.net> wrote in message
    >>>>> news:%23SbIveaUFHA.580@TK2MSFTNGP15.phx.gbl...
    >>>>>> Thanks for the response. After some additional testing we've found
    >>>>>> this is definitely happening but appears to be an AD issue and not
    >>>>>> ADAM. We also found it only happens to users of a particular child
    >>>>>> domain in our forest and not users in the parent domain. Out Tests:
    >>>>>> a user in the child domain changed their AD password in the child
    >>>>>> domain and then performed several successful ldap binds to a dc in
    >>>>>> the child domain with their old and new passwords. The old password
    >>>>>> worked for up to ~30 minutes. The same test was performed with a
    >>>>>> user in the parent (root) domain and the old password bind failed
    >>>>>> immediately. Both tests were performed several times and the results
    >>>>>> were consistent. Security group policy settings in both domains
    >>>>>> appear to be the same. It doesn't seem to be SAM replication because
    >>>>>> the new password was also successful. We're stumped.
    >>>>>>
    >>>>>>
    >>>>>> "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
    >>>>>> news:O0WmTRXUFHA.2472@TK2MSFTNGP10.phx.gbl...
    >>>>>>> Hi Jim,
    >>>>>>>
    >>>>>>> "Jims" <biz@neocasa.net> wrote in message
    >>>>>>> news:OD80caPUFHA.1432@TK2MSFTNGP09.phx.gbl...
    >>>>>>>
    >>>>>>>> Issue: We've been receiving reports from our users that after
    >>>>>>>> resetting their AD domain passwords, they can still log into
    >>>>>>>> applications (those that bind to adam) with their old password for
    >>>>>>>> up to an hour or so. Additionally, they can also use their new
    >>>>>>>> password.
    >>>>>>>> ??? - Is this possible or do my users hate me? I've seen this
    >>>>>>>> behavior on an XP workstation after a password reset but never with
    >>>>>>>> adam. Any ideas appreciated.
    >>>>>>>> Thanks,
    >>>>>>>> Jim
    >>>>>>>
    >>>>>>> I have never seen that behavior but then I do not have your web
    >>>>>>> application :)
    >>>>>>> Have you manged to repro the problem with test account and keeping
    >>>>>>> one eye
    >>>>>>> on the security audit log on the ADAM instance and back-end DC? If
    >>>>>>> you
    >>>>>>> can repro it might be worth trying with a native ADAM user through
    >>>>>>> the
    >>>>>>> web application, if possible, and then resetting the password for
    >>>>>>> that account
    >>>>>>> to see if that also exhibits the behavior.
    >>>>>>>
    >>>>>>> I would not be surprised if this was being seen as I could well
    >>>>>>> imagine that
    >>>>>>> the application might maintain some sort of credential caching (is
    >>>>>>> the web
    >>>>>>> application using ADSI? Is it running under IIS?).
    >>>>>>>
    >>>>>>> Let us know what you find, thanks
    >>>>>>>
    >>>>>>> Lee Flight
    >>>>>>>
    >>>>>>
    >>>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >

  • Next message: Jims: "AD password chnange anomolie"