Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MiniNinja
Collaborator

Changing the password - the old and the new one work

Hello Team,

R81.20 take 65 SMS (I've tried take 41 before) and gateway 5400 with R81.20 take 41.

Mobile access is enabled, integration with AD via SSL (LDAPS) is configured, the ability to change the password is configured according to https://support.checkpoint.com/results/sk/sk89841

If the password has expired or you need to change it at the first login, that through the portal that the client (tried 87.50 and 88.40) the change is successful. But the old password is still accepted for about 5 minutes. The new password also works at the same time.

How can I fix it?

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

Sounds like we're caching the password, which I believe is expected behavior.
I would consult with TAC to confirm: https://help.checkpoint.com

0 Kudos
MiniNinja
Collaborator

Thanks for your reply, but at least in the Global Settings, password caching options are disabled. Where and how can I change the caching time? I suspect that this is done through the database.

0 Kudos
Lesley
Leader Leader
Leader

I suspect this is AD related and not Check Point. Also due the fact the AD is handeling the password / authentication part. 

Here they explain it for example for NTLM auth:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/new-setting-modifies-...

On Windows the default value is 5 minutes that is changed in register. 

Best effor you could try this (I work with CP and Microsoft)

1) Start registry editor 'regedit.msc'.

2) Follow the registry subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'.

3) 'Right-click' 'Lsa', select 'New' and select 'DWORD Value'.

4) Enter OldPasswordAllowedPeriod as the name of the 'DWORD'.

5) 'Right-click' OldPasswordAllowedPeriod, then select 'Modify'.

6) Enter a value for the Value data box. This value is a life time for the old password in minutes.

For example, the old password can be used for 5 mins after the password change if the value is set to 5. To disable, enter 0.

Rebooting the server is not needed.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
MiniNinja
Collaborator

An interesting idea, I'll try to test it, but it's strange that OWA only accepts a new password, even Outlook asks for a new one after a short period of time (I didn't check exactly how long).

MiniNinja
Collaborator

Alas, what you suggested did not help, I even rebooted the test VM and the result is the same, the system accepts both the old and the new password.

0 Kudos
Lesley
Leader Leader
Leader

I think this is related to the AD servers itself not for test servers. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend

I assume below is set to no?

Andy

 

Screenshot_1.png

0 Kudos
MiniNinja
Collaborator

Yep

0 Kudos
the_rock
Legend
Legend

I will check guidbedit later to see if there is something there related to this.

Andy

0 Kudos
the_rock
Legend
Legend

So if you log into guidbedit, kjust click on global properties, ctrl+f, search for password, see values you get. I verified in mine and all seem by default.

Andy

 

Screenshot_1.png

0 Kudos
MiniNinja
Collaborator

Yes, I also have

0 Kudos
the_rock
Legend
Legend

Then I got nothing else, sorry mate : - (

Lets us know what TAC says and how it gets solved.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events