Changing the password - the old and the new one wo...

MiniNinja · ‎2024-07-23

Hello Team,

R81.20 take 65 SMS (I've tried take 41 before) and gateway 5400 with R81.20 take 41.

Mobile access is enabled, integration with AD via SSL (LDAPS) is configured, the ability to change the password is configured according to https://support.checkpoint.com/results/sk/sk89841

If the password has expired or you need to change it at the first login, that through the portal that the client (tried 87.50 and 88.40) the change is successful. But the old password is still accepted for about 5 minutes. The new password also works at the same time.

How can I fix it?

PhoneBoy · ‎2024-07-24

Sounds like we're caching the password, which I believe is expected behavior.
I would consult with TAC to confirm: https://help.checkpoint.com

MiniNinja · ‎2024-07-24

Thanks for your reply, but at least in the Global Settings, password caching options are disabled. Where and how can I change the caching time? I suspect that this is done through the database.

Lesley · ‎2024-07-24

I suspect this is AD related and not Check Point. Also due the fact the AD is handeling the password / authentication part.

Here they explain it for example for NTLM auth:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/new-setting-modifies-...

On Windows the default value is 5 minutes that is changed in register.

Best effor you could try this (I work with CP and Microsoft)

1) Start registry editor 'regedit.msc'.

2) Follow the registry subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'.

3) 'Right-click' 'Lsa', select 'New' and select 'DWORD Value'.

4) Enter OldPasswordAllowedPeriod as the name of the 'DWORD'.

5) 'Right-click' OldPasswordAllowedPeriod, then select 'Modify'.

6) Enter a value for the Value data box. This value is a life time for the old password in minutes.

For example, the old password can be used for 5 mins after the password change if the value is set to 5. To disable, enter 0.

Rebooting the server is not needed.

-------
If you like this post please give a thumbs up(kudo)! 🙂

MiniNinja · ‎2024-07-24

An interesting idea, I'll try to test it, but it's strange that OWA only accepts a new password, even Outlook asks for a new one after a short period of time (I didn't check exactly how long).

MiniNinja · ‎2024-07-25

Alas, what you suggested did not help, I even rebooted the test VM and the result is the same, the system accepts both the old and the new password.

Lesley · ‎2024-07-25

I think this is related to the AD servers itself not for test servers.

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock · ‎2024-07-24

I assume below is set to no?

Andy

MiniNinja · ‎2024-07-25

Yep

the_rock · ‎2024-07-25

I will check guidbedit later to see if there is something there related to this.

Andy

the_rock · ‎2024-07-25

So if you log into guidbedit, kjust click on global properties, ctrl+f, search for password, see values you get. I verified in mine and all seem by default.

Andy

MiniNinja · ‎2024-07-25

Yes, I also have

the_rock · ‎2024-07-25

Then I got nothing else, sorry mate : - (

Lets us know what TAC says and how it gets solved.

Andy

Are you a member of CheckMates?

Changing the password - the old and the new one work