Solved

C# Active Directory Invoke “ChangePassword” cannot contact domain

Posted on 2016-09-01
3
131 Views
Last Modified: 2016-10-11
Our custom application built on ASP.NET C# which uses the Active Directory classes was working just fine to change the password of Active Directory users, but it stopped working as soon as below updates were installed on server

https://support.microsoft.com/en-us/kb/3167679   
https://support.microsoft.com/en-us/kb/3177108

Now our password manager application are not able to change password. We un-installed the updated, and it started working just fine. We have a support from Microsoft but they are not willing to assist on this one as they treat this as a coding issue. to me it seems the active directory issue which was working earlier. Application thows the below exception as soon as we invoke the changepassword function:



The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)




Here's the code that we're using:
try
{
    State.log.WriteLine("Connecting LDAP.");
    string ldapPath = "LDAP://192.168.76.3";
    DirectoryEntry directionEntry = new DirectoryEntry(ldapPath, domainName + "\\" + userName, currentPassword);
    if (directionEntry != null)
    {
        DirectorySearcher search = new DirectorySearcher(directionEntry);
        State.log.WriteLine("LDAP Connected, searching directory for SAMAccountName");
        search.Filter = "(SAMAccountName=" + userName + ")";
        SearchResult result = search.FindOne();
        if (result != null)
        {
            State.log.WriteLine("Getting User Entry.");
            DirectoryEntry userEntry = result.GetDirectoryEntry();
            if (userEntry != null)
            {
               userEntry.Invoke("ChangePassword", new object[] { currentPassword, newPassword }); //This line gives the error
               
                userEntry.CommitChanges();
                State.log.WriteLine("Changes Committed to ActiveDirectory.");
            }
            else
            {
                State.log.WriteLine("Could not get user Entry...");
            }
        }
        else
        {
            State.log.WriteLine("Search returned no results.");
        }
    }
    else
    {
        State.log.WriteLine("Could not connect to LDAP with given username and passwd");
    }
}






I looked at the internet, and it seems many people/company are having this issue after the MS Update.




Could you please let me know if there are some other way to get around this issue without un-installing the updates?

Is Microsoft planning to release different path or security update to overcome this scenario?

Any help will be highly appreciated.
0
Comment
Question by:SHANCHAT972
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:SHANCHAT972
ID: 41781983
Can anyone answer my question??
0
 

Author Comment

by:SHANCHAT972
ID: 41781993
Why cant I see request attention option for this question ????
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 41837970
Yes, that's true. As you can see there are known issues to MS (within KB description, you can find more details here https://support.microsoft.com/en-ca/kb/3178465).
Soon they should release hotfixes to those hotfixes :)

The problem is that NTLM authentication is no longer in use when you implement this hotfix 101
Only Kerberos authentication is possible. This is not a big problem for Windows Domain Controllers but It is a big challenge to applications written in the past.

You cannot just simply rollback hotfix, you need to unfortunately wait for new hotfix, which should be released soon or try to fix the code to use Kerberos authentication instead of NTLM

This hotfix should not be deployed yet in environments where custom applications are used to user password management.

I'm sorry for bad news. I still did not deploy it in my environment until fixes would be released.

Regards,
Krzysztof
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question