Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

C# Active Directory Invoke “ChangePassword” cannot contact domain

Posted on 2016-09-01
3
Medium Priority
?
184 Views
Last Modified: 2016-10-11
Our custom application built on ASP.NET C# which uses the Active Directory classes was working just fine to change the password of Active Directory users, but it stopped working as soon as below updates were installed on server

https://support.microsoft.com/en-us/kb/3167679   
https://support.microsoft.com/en-us/kb/3177108

Now our password manager application are not able to change password. We un-installed the updated, and it started working just fine. We have a support from Microsoft but they are not willing to assist on this one as they treat this as a coding issue. to me it seems the active directory issue which was working earlier. Application thows the below exception as soon as we invoke the changepassword function:



The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)




Here's the code that we're using:
try
{
    State.log.WriteLine("Connecting LDAP.");
    string ldapPath = "LDAP://192.168.76.3";
    DirectoryEntry directionEntry = new DirectoryEntry(ldapPath, domainName + "\\" + userName, currentPassword);
    if (directionEntry != null)
    {
        DirectorySearcher search = new DirectorySearcher(directionEntry);
        State.log.WriteLine("LDAP Connected, searching directory for SAMAccountName");
        search.Filter = "(SAMAccountName=" + userName + ")";
        SearchResult result = search.FindOne();
        if (result != null)
        {
            State.log.WriteLine("Getting User Entry.");
            DirectoryEntry userEntry = result.GetDirectoryEntry();
            if (userEntry != null)
            {
               userEntry.Invoke("ChangePassword", new object[] { currentPassword, newPassword }); //This line gives the error
               
                userEntry.CommitChanges();
                State.log.WriteLine("Changes Committed to ActiveDirectory.");
            }
            else
            {
                State.log.WriteLine("Could not get user Entry...");
            }
        }
        else
        {
            State.log.WriteLine("Search returned no results.");
        }
    }
    else
    {
        State.log.WriteLine("Could not connect to LDAP with given username and passwd");
    }
}






I looked at the internet, and it seems many people/company are having this issue after the MS Update.




Could you please let me know if there are some other way to get around this issue without un-installing the updates?

Is Microsoft planning to release different path or security update to overcome this scenario?

Any help will be highly appreciated.
0
Comment
Question by:Arikkan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:Arikkan
ID: 41781983
Can anyone answer my question??
0
 

Author Comment

by:Arikkan
ID: 41781993
Why cant I see request attention option for this question ????
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 41837970
Yes, that's true. As you can see there are known issues to MS (within KB description, you can find more details here https://support.microsoft.com/en-ca/kb/3178465).
Soon they should release hotfixes to those hotfixes :)

The problem is that NTLM authentication is no longer in use when you implement this hotfix 101
Only Kerberos authentication is possible. This is not a big problem for Windows Domain Controllers but It is a big challenge to applications written in the past.

You cannot just simply rollback hotfix, you need to unfortunately wait for new hotfix, which should be released soon or try to fix the code to use Kerberos authentication instead of NTLM

This hotfix should not be deployed yet in environments where custom applications are used to user password management.

I'm sorry for bad news. I still did not deploy it in my environment until fixes would be released.

Regards,
Krzysztof
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question