After password change in AD, Outlook will not prompt to enter credentials for a day or more (Network Steve Forum)

After password change in AD, Outlook will not prompt to enter credentials for a day or more

I was referred here from an Office 365 post. This is my original issue:

I recently enforced a password policy for the first time. I am using Microsoft Server 2012 and syncing my AD to Exchange Online. After a user changes their windows password via Ctrl, Alt, Delete, Outlook will not prompt for new credentials. The old credentials continue to work. However, if the user logs on to OWA, the old password does not work, and the new one does.

I have the FIM configured to sync every hour, and I have tried manually syncing it as well. Restarting the computer does not cause Outlook to prompt for the new password either. It takes about a day for Outlook to catch up.

How can I get Outlook to prompt for the new password right after the user changes their windows password?

Mike

http://community.office365.com/en-us/f/613/p/267954/821766.aspx#821766

October 3rd, 2014 2:20pm

Outlook will not prompt for new credentials. The old credentials continue to work.

"The old credentials continue to work" - Are you able to send/receive emails after changing the password? And you are in cache mode, correct?

What's the authentication option are you using in Outlook client, NTLM or Negotiate Authentication? Please switch to a different one and then check result.

Regards,

Ethan Hua
TechNet Community Support

Free Windows Admin Tool Kit Click here and download it now

October 6th, 2014 8:59am

I am able to send/receive emails from Outlook after changing the password in AD, even though Outlook has not prompted for new credentials.

I am using Anonymous Authentication. This is how Outlook configures itself automatically when I set up a new user. I have tried all other authentications, but they do not work at any time. The only one that will accept a password is Anonymous.

Mike

October 6th, 2014 7:31pm

And I am using cached mode.

Free Windows Admin Tool Kit Click here and download it now

October 6th, 2014 7:32pm

I just found a work around. I changed my windows password, and then removed the outlook credentials from Credential Manager. After closing and opening Outlook, it prompted for the new password.

Mike

Marked as answer by Ethan HuaMicrosoft contingent staff, Moderator Thursday, October 09, 2014 5:05 AM
Unmarked as answer by Ethan HuaMicrosoft contingent staff, Moderator Friday, October 10, 2014 9:29 AM

October 8th, 2014 1:38pm

I was about to involve someone familiar with this topic to further look at this issue. Anyway, good to see you have your problem resolved now.

Regards,

Ethan Hua
TechNet Community Support

Free Windows Admin Tool Kit Click here and download it now

October 9th, 2014 5:05am

Hi Ethan,

Although I have found a work around, I was still hoping that there would be a solution that didn't require user intervention.

I have discovered one more interesting fact. I forced a password change on 2 people who use Outlook 2007. After the password change, they closed Outlook. Upon opening it again, Outlook did ask for the password. So I wonder what changed in Outlook 2010 and Outlook 2013 that causes a delay.

I just wanted to share my discovery.

Mike

October 9th, 2014 5:39pm

Hi Mike,

Thank you for your reply and sharing the discovery above. I have escalated this anyway, our engineer will take a further look at this issue and get back to you soon.

I'm unmarking it for now, thanks for your understanding.

Regards,

Ethan Hua
TechNet Community Support

Free Windows Admin Tool Kit Click here and download it now

October 10th, 2014 9:27am

This is expected behavior.

Outlook will not prompt immediately because it is not required to do so for Exchange resource access. The cached creds are valid for as long as the existing token in ADFS (and also within orgID in our cloud) matched to the old password in credman is valid. The default token life is 10 hours, but that value can be modified. Once that token expires, when Outlook tries to pass the old creds (that are no longer valid), Exchange will refuse them, and only then Outlook should prompt. You can use both Outlook ETL data and NETSH data to see when Outlook is prompted and what is passed.

If you expects an immediate prompt out of box when a password is changed, that is simply not correct . If there is a business requirement for an immediate prompt, you could implement a policy to never cache creds into cred man (This is windows and not within our Outlook expertise). The downside here is obvious users would be prompted every time they restart Outlook.

Hope this helps

Marked as answer by Microsoft Outlook Forum SupportMicrosoft employee, Editor Wednesday, October 15, 2014 4:41 PM

October 15th, 2014 4:40pm

Thank you for taking the time to answer my question. This explains what I needed to know.

Mike

Free Windows Admin Tool Kit Click here and download it now

October 20th, 2014 7:39pm

"The default token life is 10 hours, but that value can be modified."

I am having the same issue as this fellow. How exactly would one change the default token life?

May 22nd, 2015 12:39pm

This topic is archived. No further replies will be accepted.