Users can log into Confluence with both their old and new Active Directory passwords

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

After changing user passwords in Active Directory, users can log into Confluence with both the old and the new passwords for a period of time. 

When making the following actions...

  • User's password is updated in Active Directory
  • Confluence is synced with Active Directory, and caches are flushed
  • For a period of time (anywhere from a few minutes to an hour), users can log in with both their old and new Active Directory passwords

Diagnosis

Environment

  • Confluence is connected to Active Directory 
  • Active Directory is using NTLM authentication

Diagnostic Steps

  • If Active Directory is connected to another application, try logging into the other application with both Credentials.
  • If users are able to log in to either application, then this issue lies in the Active Directory server configuration

Confluence will not cache Active Directory passwords, and will instead contain 'nopass' under the user's credential. In this case, Confluence will always authenticate against Active Directory and should not be caching these passwords. No errors or warnings are logged, as users are able to authenticate with no issue.

Cause

By default, Active Directory and NTLM authentication are configured to allow the most recent previous password to be used for NTLM authentication for one hour.

Resolution

This behavior can be modified by creating a DWORD value of OldPasswordAllowedPeriod at HKLM\SYSTEM\CurrentControlSet\Control\Lsa. The value is in minutes, a value of 0 will disable it, and you will not need to restart the application. Note also that:

  1. This only applies to NTLM, not Kerberos authentication.
  2. This change must be made on each Domain Controller if using more than one.
  3. The user's password policy must have password history enabled or this feature is effectively disabled.

If you'd like to read more about it, this solution was found here

Last modified on Feb 26, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.