Passwords are not cached by ACS for dynamically created users. Please break the communication between ACS and AD and then try to connect.

That will let us know if the issue is with ACS or AD.

Regards,

~JG

Do rate helpful posts

More info

Windows 2003 SP1 changes NTLM behavior and because of this, two passwords can be valid for an hour after the password has changed.

Here is the article:

http://support.microsoft.com/kb/906305/en-us

Regards,

~JG

Do rate helpful posts

I have a scenario for you in active directory when two passwords may be valid:

Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.

Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.

The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".

User1 decides to call the helpdesk and changes his password to "456".

The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be

valid.

If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC

emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.

Regards,

~JG

Do rate helpful posts

Many thanks for your quick answers.

I will see with the other team to see if it's apply or not but the scenario that you explain is good for my case.

Except that the user/password for the user is located on the same Domain Controller (I guess) than the Cisco ACS.

But I will see with them.

So, thanks ;o)