Scripting. Stuff. (By Froosh)

August 22, 2006

Old passwords are still valid with Windows Server 2003 SP1

Filed under: Windows — Robin Frousheger @ 12:22 pm

We’ve been pulling our hair out for a while because the software we use to provide e-mail synchronisation services for pocket pc users keeps providing very strange results when staff change their passwords.

The main symptom was that the sync software would still work without prompting for an updated password. It appeared to keep using the old password for a while, and then refuse to sync because it’s cached password was invalid. For some reason it did not recognise a password change.

The software vendor was utterly useless, sending us revision after revision of the software and claiming complete fixes. After a few fruitless cycles, they provided a work-around in which a single service account would be used to sync with their mailboxes. I wasn’t happy with their answer of “But you’re the only company reporting this issue” and they were not willing to pursue it.

Thankfully, I now at least have part of the answer: MS KB 906305 Windows Server 2003 Service Pack 1 modifies NTLM network authentication behavior.

This document states:

After you install Windows Server 2003 SP1, domain users can use their old password to access the network for one hour after the password is changed. Existing components that are designed to use Kerberos for authentication are not affected by this change.

And so it becomes clear. The sync software is using NTLM auth rather than Kerberos and so the old passwords are still accepted by the servers. It also explains why we could not reproduce it by logging into the machines interactively, as that uses Kerberos.

What I don’t have a satisfactory answer to is: When we logged a call with Microsoft Premier Support (yes, this costs a lot), they claimed that it was impossible, there was no way that the old passwords could be accepted.

Now I just have to cross my fingers and hope that the vendor will do something to fix our problem properly. I’m not expecting much.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: