Solved

C# Active Directory Invoke “ChangePassword” cannot contact domain

Posted on 2016-09-01
3
115 Views
Last Modified: 2016-10-11
Our custom application built on ASP.NET C# which uses the Active Directory classes was working just fine to change the password of Active Directory users, but it stopped working as soon as below updates were installed on server

https://support.microsoft.com/en-us/kb/3167679   
https://support.microsoft.com/en-us/kb/3177108

Now our password manager application are not able to change password. We un-installed the updated, and it started working just fine. We have a support from Microsoft but they are not willing to assist on this one as they treat this as a coding issue. to me it seems the active directory issue which was working earlier. Application thows the below exception as soon as we invoke the changepassword function:



The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)




Here's the code that we're using:
try
{
    State.log.WriteLine("Connecting LDAP.");
    string ldapPath = "LDAP://192.168.76.3";
    DirectoryEntry directionEntry = new DirectoryEntry(ldapPath, domainName + "\\" + userName, currentPassword);
    if (directionEntry != null)
    {
        DirectorySearcher search = new DirectorySearcher(directionEntry);
        State.log.WriteLine("LDAP Connected, searching directory for SAMAccountName");
        search.Filter = "(SAMAccountName=" + userName + ")";
        SearchResult result = search.FindOne();
        if (result != null)
        {
            State.log.WriteLine("Getting User Entry.");
            DirectoryEntry userEntry = result.GetDirectoryEntry();
            if (userEntry != null)
            {
               userEntry.Invoke("ChangePassword", new object[] { currentPassword, newPassword }); //This line gives the error
               
                userEntry.CommitChanges();
                State.log.WriteLine("Changes Committed to ActiveDirectory.");
            }
            else
            {
                State.log.WriteLine("Could not get user Entry...");
            }
        }
        else
        {
            State.log.WriteLine("Search returned no results.");
        }
    }
    else
    {
        State.log.WriteLine("Could not connect to LDAP with given username and passwd");
    }
}






I looked at the internet, and it seems many people/company are having this issue after the MS Update.




Could you please let me know if there are some other way to get around this issue without un-installing the updates?

Is Microsoft planning to release different path or security update to overcome this scenario?

Any help will be highly appreciated.
0
Comment
Question by:SHANCHAT972
  • 2
3 Comments
 

Author Comment

by:SHANCHAT972
ID: 41781983
Can anyone answer my question??
0
 

Author Comment

by:SHANCHAT972
ID: 41781993
Why cant I see request attention option for this question ????
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 41837970
Yes, that's true. As you can see there are known issues to MS (within KB description, you can find more details here https://support.microsoft.com/en-ca/kb/3178465).
Soon they should release hotfixes to those hotfixes :)

The problem is that NTLM authentication is no longer in use when you implement this hotfix 101
Only Kerberos authentication is possible. This is not a big problem for Windows Domain Controllers but It is a big challenge to applications written in the past.

You cannot just simply rollback hotfix, you need to unfortunately wait for new hotfix, which should be released soon or try to fix the code to use Kerberos authentication instead of NTLM

This hotfix should not be deployed yet in environments where custom applications are used to user password management.

I'm sorry for bad news. I still did not deploy it in my environment until fixes would be released.

Regards,
Krzysztof
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question