I have a user who used to be able to logon to my Intranet site using
SSO. Her account expired and we had to change the password on the AD
server when we
re-enabled it. Since then, SSO doesn't work for that user when using IE
I.e. when I set JCIFS logs level to 9, I can see an error in the
authentication saying wrong username or password.
The funny thing is that FireFox allows that user to connect. The NTLM
string returned is different from the one returned by IE though.
This leads me to belive that IE is using cached credentials to perform
an NTLM challenge response.
I know how to stop Windows from storing the credentials. If I set the
Local Policy "Network access: Do not allow storage of credentials or
.NET Passports..." to Enabled, then the user can use SSO again. BUT,
and that's freaky, if I reset the value to Disabled (The default
value), the user can no longer use SSO.
Does anyone knows how to clear the storage of credentials on windows?
How long are credentials stored for? 24 hours, 10 days, 30 days or
> I have a user who used to be able to logon to my Intranet site using
> SSO. Her account expired and we had to change the password on the AD
> server when we
> re-enabled it. Since then, SSO doesn't work for that user when using IE
> to connect.
> I.e. when I set JCIFS logs level to 9, I can see an error in the
> authentication saying wrong username or password.
I suspect there is something else going on here. NTLM credentials
aren't cached by the client. If you're running on IIS it could be that
a different authentication type is being chosen in some cases. Also,
it could be that when setting the password in AD the NTLM keys were not
updated because of policy or an option was incorrecty set. I would make
sure the user changes their password and then logs off and back in. Then
relaunch the browser and try again.