Security issues for AD integration - SSO
Password change delay
In some configurations (Enforce Password History needs to be set to a value of two or more remembered passwords) AD may have a configurable password change delay. This might be noticed so that the user may be able to authenticate for a certain time period with both the old and the new password. This is not normally a security problem since the only valid passwords are the old and new user defined password. If the old password has been compromised then a password reset should be made by the administrator and also the "user must change password at next logon" flag should be set. Then the change will be immediate.
If the password change delay is still a problem there is a way to change it:
"The lifetime period of the old password can be configured by editing the registry on a domain controller. No restart is required for this registry change to take effect.
To change the lifetime period of an old password, add a DWORD entry that is named OldPasswordAllowedPeriod to the following registry subkey on a domain controller: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- On the Edit menu, point to New, and then click DWORD Value.
- Type OldPasswordAllowedPeriod as the name of the DWORD, and then press ENTER.
- Right-click OldPasswordAllowedPeriod, and then click Modify.
- In the Value data box, type the value in minutes that you want to use, and then click OK. (If the value is not set then a default lifetime period will be used.)
- Quit Registry Editor."