April 2009 Blog Posts

Old Passwords Still Working?!

I've had to respond to this topic a number of times now, so I figured I would just write it up here for future reference. If you are using Active Directory, and you administratively change a principle's password, sometimes you find that the old password still works (at least for a little while). Most often, you'll see this if you are using PrincipleContext or a Membership Provider that uses A.D. under the covers, because when you call their methods to change password, they do an administrative password change using LDAP. This is actual an old feature of NTLM authentication. The concept being...