I have a web app that uses the Active Directory Membership Provider and when
a user changes their password, they can login with either the old password or
the new password for a while.
This KB article (http://support.microsoft.com/kb/906305/en-us) leads me to
believe that this behavior is caused by NTLM authentication.
Is there a way to configure the AD Membership Provider to only do Kerberos
Authentication and not NTLM?
NOTE: My app configures the provider with a minimum set of parameters, so every
configuration setting is set to its default.
It does not appear that you can change the method used. Its odd that both passwords would still work unless the credentials are being cached locally as if it were a disconnected machine (similar to what happens when you disconnect a machine from a domain and log into it). This doesnt sound like something the provider itself is doing, unless the provider is caching credentials. I didnt see anything for expiration of credentials which leads me to believe that it is not doing that.
Is sounds odd that they could log in with both passwords, I would expect one or the other to work, depending on GC replication lag between DCs or something along that lines.