Users can log into Confluence with both their old and new Active Directory passwords

Summary

Problem

After changing user passwords in Active Directory, users can log into Confluence with both the old and the new passwords for a period of time.

When making the following actions...

• User's password is updated in Active Directory

• Confluence is synced with Active Directory, and caches are flushed

• For a period of time (anywhere from a few minutes to an hour), users can log in with both their old and new Active Directory passwords

Diagnosis

Environment

• Confluence is connected to Active Directory

• Active Directory is using NTLM authentication

Diagnostic Steps

• If Active Directory is connected to another application, try logging into the other application with both Credentials.

• If users are able to log in to either application, then this issue lies in the Active Directory server configuration

Confluence will not cache Active Directory passwords, and will instead contain 'nopass' under the user's credential. In this case, Confluence will always authenticate against Active Directory and should not be caching these passwords. No errors or warnings are logged, as users are able to authenticate with no issue.

Cause

By default, Active Directory and NTLM authentication are configured to allow the most recent previous password to be used for NTLM authentication for one hour.

Solution

Resolution

This behavior can be modified by creating a DWORD value of OldPasswordAllowedPeriod at HKLM\SYSTEM\CurrentControlSet\Control\Lsa. The value is in minutes, a value of 0 will disable it, and you will not need to restart the application. Note also that:

1. This only applies to NTLM, not Kerberos authentication.

2. This change must be made on each Domain Controller if using more than one.

3. The user's password policy must have password history enabled or this feature is effectively disabled.

If you'd like to read more about it, this solution was found here