Has anyone had this problem or know the fix? I am running Domino 6.01 with the critical fix and session authentication. I have a group of web users that need to change their password every 90 days, so I created a explicit security policy with a security setting. Under the password management tab I enabled users to change internet password, set enforce password expiration to internet only set the required change interval to 90 days, allowed grace period to 20 days, and selected a required password quality. I then added the policy to each users person document. The next day users received the R6 change password form to change their password. They were all able to successfully change their password and login to their database. Two days later they login and the server says you provided an invalid username or password. So I logged in using one of their user accounts with their previous password and I was prompted with the R6 change password form. I successfully changed this persons password. I waited an hour then restarted the adminp process and ran load updall on the addressbook. I logged in using the same account with the new password which logged in successfully, then using a new browser window I logged in using the same account with the previous password which was also successful. I am confused, I was assuming that the users would have to change their password every 90 days the old password would be removed and the new password would take affect.