Solved

C# Active Directory Invoke “ChangePassword” cannot contact domain

Posted on 2016-09-01
3
59 Views
Last Modified: 2016-10-11
Our custom application built on ASP.NET C# which uses the Active Directory classes was working just fine to change the password of Active Directory users, but it stopped working as soon as below updates were installed on server

https://support.microsoft.com/en-us/kb/3167679    
https://support.microsoft.com/en-us/kb/3177108

Now our password manager application are not able to change password. We un-installed the updated, and it started working just fine. We have a support from Microsoft but they are not willing to assist on this one as they treat this as a coding issue. to me it seems the active directory issue which was working earlier. Application thows the below exception as soon as we invoke the changepassword function:



The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)




Here's the code that we're using:
try
{
    State.log.WriteLine("Connecting LDAP.");
    string ldapPath = "LDAP://192.168.76.3";
    DirectoryEntry directionEntry = new DirectoryEntry(ldapPath, domainName + "\\" + userName, currentPassword);
    if (directionEntry != null)
    {
        DirectorySearcher search = new DirectorySearcher(directionEntry);
        State.log.WriteLine("LDAP Connected, searching directory for SAMAccountName");
        search.Filter = "(SAMAccountName=" + userName + ")";
        SearchResult result = search.FindOne();
        if (result != null)
        {
            State.log.WriteLine("Getting User Entry.");
            DirectoryEntry userEntry = result.GetDirectoryEntry();
            if (userEntry != null)
            {
               userEntry.Invoke("ChangePassword", new object[] { currentPassword, newPassword }); //This line gives the error
               
                userEntry.CommitChanges();
                State.log.WriteLine("Changes Committed to ActiveDirectory.");
            }
            else
            {
                State.log.WriteLine("Could not get user Entry...");
            }
        }
        else
        {
            State.log.WriteLine("Search returned no results.");
        }
    }
    else
    {
        State.log.WriteLine("Could not connect to LDAP with given username and passwd");
    }
}






I looked at the internet, and it seems many people/company are having this issue after the MS Update.




Could you please let me know if there are some other way to get around this issue without un-installing the updates?

Is Microsoft planning to release different path or security update to overcome this scenario?

Any help will be highly appreciated.
0
Comment
Question by:SHANCHAT972
  • 2
3 Comments
 

Author Comment

by:SHANCHAT972
ID: 41781983
Can anyone answer my question??
0
 

Author Comment

by:SHANCHAT972
ID: 41781993
Why cant I see request attention option for this question ????
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 41837970
Yes, that's true. As you can see there are known issues to MS (within KB description, you can find more details here https://support.microsoft.com/en-ca/kb/3178465).
Soon they should release hotfixes to those hotfixes :)

The problem is that NTLM authentication is no longer in use when you implement this hotfix 101
Only Kerberos authentication is possible. This is not a big problem for Windows Domain Controllers but It is a big challenge to applications written in the past.

You cannot just simply rollback hotfix, you need to unfortunately wait for new hotfix, which should be released soon or try to fix the code to use Kerberos authentication instead of NTLM

This hotfix should not be deployed yet in environments where custom applications are used to user password management.

I'm sorry for bad news. I still did not deploy it in my environment until fixes would be released.

Regards,
Krzysztof
0

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now