Users can log into Confluence with both their old and new Active Directory passwords
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Problem
After changing user passwords in Active Directory, users can log into Confluence with both the old and the new passwords for a period of time.
When making the following actions...
User's password is updated in Active Directory
Confluence is synced with Active Directory, and caches are flushed
For a period of time (anywhere from a few minutes to an hour), users can log in with both their old and new Active Directory passwords
Diagnosis
Environment
Confluence is connected to Active Directory
Active Directory is using NTLM authentication
Diagnostic Steps
If Active Directory is connected to another application, try logging into the other application with both Credentials.
If users are able to log in to either application, then this issue lies in the Active Directory server configuration
Confluence will not cache Active Directory passwords, and will instead contain 'nopass' under the user's credential. In this case, Confluence will always authenticate against Active Directory and should not be caching these passwords. No errors or warnings are logged, as users are able to authenticate with no issue.
Cause
By default, Active Directory and NTLM authentication are configured to allow the most recent previous password to be used for NTLM authentication for one hour.
Solution
Resolution
This behavior can be modified by creating a DWORD value of OldPasswordAllowedPeriod
at HKLM\SYSTEM\CurrentControlSet\Control\Lsa
. The value is in minutes, a value of 0 will disable it, and you will not need to restart the application. Note also that:
This only applies to NTLM, not Kerberos authentication.
This change must be made on each Domain Controller if using more than one.
The user's password policy must have password history enabled or this feature is effectively disabled.
If you'd like to read more about it, this solution was found here
Was this helpful?