After a user changes their active directory password, through my site, the user can login with either the old password or the new password. If I restart the application in IIS manager the site only accepts the new password.
I have a site that uses Forms authentication for which I have implemented a customer membership provider. The backend of the custom membership provider is using an AD store for users and passwords. I'm not caching any passwords or credentials in code, and my custom membership provider class inherits ActiveDirectoryMembershipProvider buts uses DirectoryEntry for all of its validation and password changes. I have my customer provider added as a membership provider in web.config
The site is in ASP.NET 4.5.1 running on Windows Server 2008 R2
I can provide code samples from the membership provider if necessary.