Users can log into Confluence with both their old and new Active Directory passwords
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
After changing user passwords in Active Directory, users can log into Confluence with both the old and the new passwords for a period of time.
When making the following actions...
- User's password is updated in Active Directory
- Confluence is synced with Active Directory, and caches are flushed
- For a period of time (anywhere from a few minutes to an hour), users can log in with both their old and new Active Directory passwords
- Confluence is connected to Active Directory
- Active Directory is using NTLM authentication
- If Active Directory is connected to another application, try logging into the other application with both Credentials.
- If users are able to log in to either application, then this issue lies in the Active Directory server configuration
Confluence will not cache Active Directory passwords, and will instead contain 'nopass' under the user's credential. In this case, Confluence will always authenticate against Active Directory and should not be caching these passwords. No errors or warnings are logged, as users are able to authenticate with no issue.
By default, Active Directory and NTLM authentication are configured to allow the most recent previous password to be used for NTLM authentication for one hour.
This behavior can be modified by creating a DWORD value of
HKLM\SYSTEM\CurrentControlSet\Control\Lsa. The value is in minutes, a value of 0 will disable it, and you will not need to restart the application. Note also that:
- This only applies to NTLM, not Kerberos authentication.
- This change must be made on each Domain Controller if using more than one.
- The user's password policy must have password history enabled or this feature is effectively disabled.
If you'd like to read more about it, this solution was found here