Active Directory user password change: Keycloak accepts both old and new password

Using Keycloak 4.1.0.Final. Looking at that version number and compared with the current this would seem rather old. However It’s release was one year and a few months ago. I’m already having trouble finding documentation for this particular version.

I’ve come upon an odd issue I can’t seem to fix. Here’s the use case:

An Active Directory admin changes a users password. This AD is configured in the user federation in Keycloak.
After that the user is able to login using both the new and the old password.
From what I read online the password is always queried to LDAP (AD). But that user is not able to login into the workstation itself using the old password.

I cleared all caches in Keycloak that I know of. I set the cache policiy of the user federation to NO_CACHE. This issue is still the same, and I’m not sure what else I can do to fix this problem.

So any advice would be greatly appreciated.

Thanks!

1 Like

I would suggest trying to reproduce the issue in the most recent version of Keycloak. If memory serves me correctly this issue was reported and fixed at some point.

It is AD Bug
https://www.ibm.com/support/pages/old-password-still-usable-after-password-changed-when-using-active-directory