Can AD Membership Provider be configured to use Kerberos

I have a web app that uses the Active Directory Membership Provider and when a user changes their password, they can login with either the old password or the new password 开发者_高级运维for a while.

This KB article (http://support.microsoft.com/kb/906305/en-us) leads me to believe that this behavior is caused by NTLM authentication.

Is there a way to configure the AD Membership Provider to only do Kerberos Authentication and not NTLM?

NOTE: My app configures the provider with a minimum set of parameters, so every configuration setting is set to its default.

It does not appear that you can change the method used. Its odd that both passwords would still work unless the credentials are being cached locally as if it were a disconnected machine (similar to what happens when you disconnect a machine from a domain and log into it). This doesnt sound like something the provider itself is doing, unless the provider is caching credentials. I didnt see anything for expiration of credentials which leads me to believe that it is not doing that.

Is sounds odd that they could log in with both passwords, I would expect one or the other to work, depending on GC replication lag between DCs or something along that lines.