- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Changing the password - the old and the new on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing the password - the old and the new one work
Hello Team,
R81.20 take 65 SMS (I've tried take 41 before) and gateway 5400 with R81.20 take 41.
Mobile access is enabled, integration with AD via SSL (LDAPS) is configured, the ability to change the password is configured according to https://support.checkpoint.com/results/sk/sk89841
If the password has expired or you need to change it at the first login, that through the portal that the client (tried 87.50 and 88.40) the change is successful. But the old password is still accepted for about 5 minutes. The new password also works at the same time.
How can I fix it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like we're caching the password, which I believe is expected behavior.
I would consult with TAC to confirm: https://help.checkpoint.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply, but at least in the Global Settings, password caching options are disabled. Where and how can I change the caching time? I suspect that this is done through the database.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect this is AD related and not Check Point. Also due the fact the AD is handeling the password / authentication part.
Here they explain it for example for NTLM auth:
On Windows the default value is 5 minutes that is changed in register.
Best effor you could try this (I work with CP and Microsoft)
1) Start registry editor 'regedit.msc'.
2) Follow the registry subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'.
3) 'Right-click' 'Lsa', select 'New' and select 'DWORD Value'.
4) Enter OldPasswordAllowedPeriod as the name of the 'DWORD'.
5) 'Right-click' OldPasswordAllowedPeriod, then select 'Modify'.
6) Enter a value for the Value data box. This value is a life time for the old password in minutes.
For example, the old password can be used for 5 mins after the password change if the value is set to 5. To disable, enter 0.
Rebooting the server is not needed.
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An interesting idea, I'll try to test it, but it's strange that OWA only accepts a new password, even Outlook asks for a new one after a short period of time (I didn't check exactly how long).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alas, what you suggested did not help, I even rebooted the test VM and the result is the same, the system accepts both the old and the new password.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this is related to the AD servers itself not for test servers.
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume below is set to no?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will check guidbedit later to see if there is something there related to this.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if you log into guidbedit, kjust click on global properties, ctrl+f, search for password, see values you get. I verified in mine and all seem by default.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I also have
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then I got nothing else, sorry mate : - (
Lets us know what TAC says and how it gets solved.
Andy