This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MiniNinja
Contributor
Tuesday

Changing the password - the old and the new one work

Hello Team,

R81.20 take 65 SMS (I've tried take 41 before) and gateway 5400 with R81.20 take 41.

Mobile access is enabled, integration with AD via SSL (LDAPS) is configured, the ability to change the password is configured according to https://support.checkpoint.com/results/sk/sk89841

If the password has expired or you need to change it at the first login, that through the portal that the client (tried 87.50 and 88.40) the change is successful. But the old password is still accepted for about 5 minutes. The new password also works at the same time.

How can I fix it?

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
yesterday

Sounds like we're caching the password, which I believe is expected behavior.
I would consult with TAC to confirm: https://help.checkpoint.com

0 Kudos
MiniNinja
Contributor
yesterday
In response to PhoneBoy

Thanks for your reply, but at least in the Global Settings, password caching options are disabled. Where and how can I change the caching time? I suspect that this is done through the database.

0 Kudos
Lesley
Advisor
Advisor
yesterday

I suspect this is AD related and not Check Point. Also due the fact the AD is handeling the password / authentication part. 

Here they explain it for example for NTLM auth:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/new-setting-modifies-...

On Windows the default value is 5 minutes that is changed in register. 

Best effor you could try this (I work with CP and Microsoft)

1) Start registry editor 'regedit.msc'.

2) Follow the registry subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'.

3) 'Right-click' 'Lsa', select 'New' and select 'DWORD Value'.

4) Enter OldPasswordAllowedPeriod as the name of the 'DWORD'.

5) 'Right-click' OldPasswordAllowedPeriod, then select 'Modify'.

6) Enter a value for the Value data box. This value is a life time for the old password in minutes.

For example, the old password can be used for 5 mins after the password change if the value is set to 5. To disable, enter 0.

Rebooting the server is not needed.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
MiniNinja
Contributor
yesterday
In response to Lesley

An interesting idea, I'll try to test it, but it's strange that OWA only accepts a new password, even Outlook asks for a new one after a short period of time (I didn't check exactly how long).

MiniNinja
Contributor
6 hours ago
In response to Lesley

Alas, what you suggested did not help, I even rebooted the test VM and the result is the same, the system accepts both the old and the new password.

0 Kudos
Lesley
Advisor
Advisor
5 hours ago
In response to MiniNinja

I think this is related to the AD servers itself not for test servers. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
yesterday

I assume below is set to no?

Andy

 

Screenshot_1.png

0 Kudos
MiniNinja
Contributor
6 hours ago
In response to the_rock

Yep

0 Kudos
the_rock
Legend
Legend
5 hours ago
In response to MiniNinja

I will check guidbedit later to see if there is something there related to this.

Andy

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to MiniNinja

So if you log into guidbedit, kjust click on global properties, ctrl+f, search for password, see values you get. I verified in mine and all seem by default.

Andy

 

Screenshot_1.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events