Solved

C# Active Directory Invoke “ChangePassword” cannot contact domain

Posted on 2016-09-01
3
151 Views
Last Modified: 2016-10-11
Our custom application built on ASP.NET C# which uses the Active Directory classes was working just fine to change the password of Active Directory users, but it stopped working as soon as below updates were installed on server

https://support.microsoft.com/en-us/kb/3167679   
https://support.microsoft.com/en-us/kb/3177108

Now our password manager application are not able to change password. We un-installed the updated, and it started working just fine. We have a support from Microsoft but they are not willing to assist on this one as they treat this as a coding issue. to me it seems the active directory issue which was working earlier. Application thows the below exception as soon as we invoke the changepassword function:



The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)




Here's the code that we're using:
try
{
    State.log.WriteLine("Connecting LDAP.");
    string ldapPath = "LDAP://192.168.76.3";
    DirectoryEntry directionEntry = new DirectoryEntry(ldapPath, domainName + "\\" + userName, currentPassword);
    if (directionEntry != null)
    {
        DirectorySearcher search = new DirectorySearcher(directionEntry);
        State.log.WriteLine("LDAP Connected, searching directory for SAMAccountName");
        search.Filter = "(SAMAccountName=" + userName + ")";
        SearchResult result = search.FindOne();
        if (result != null)
        {
            State.log.WriteLine("Getting User Entry.");
            DirectoryEntry userEntry = result.GetDirectoryEntry();
            if (userEntry != null)
            {
               userEntry.Invoke("ChangePassword", new object[] { currentPassword, newPassword }); //This line gives the error
               
                userEntry.CommitChanges();
                State.log.WriteLine("Changes Committed to ActiveDirectory.");
            }
            else
            {
                State.log.WriteLine("Could not get user Entry...");
            }
        }
        else
        {
            State.log.WriteLine("Search returned no results.");
        }
    }
    else
    {
        State.log.WriteLine("Could not connect to LDAP with given username and passwd");
    }
}






I looked at the internet, and it seems many people/company are having this issue after the MS Update.




Could you please let me know if there are some other way to get around this issue without un-installing the updates?

Is Microsoft planning to release different path or security update to overcome this scenario?

Any help will be highly appreciated.
0
Comment
Question by:SHANCHAT972
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:SHANCHAT972
ID: 41781983
Can anyone answer my question??
0
 

Author Comment

by:SHANCHAT972
ID: 41781993
Why cant I see request attention option for this question ????
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 41837970
Yes, that's true. As you can see there are known issues to MS (within KB description, you can find more details here https://support.microsoft.com/en-ca/kb/3178465).
Soon they should release hotfixes to those hotfixes :)

The problem is that NTLM authentication is no longer in use when you implement this hotfix 101
Only Kerberos authentication is possible. This is not a big problem for Windows Domain Controllers but It is a big challenge to applications written in the past.

You cannot just simply rollback hotfix, you need to unfortunately wait for new hotfix, which should be released soon or try to fix the code to use Kerberos authentication instead of NTLM

This hotfix should not be deployed yet in environments where custom applications are used to user password management.

I'm sorry for bad news. I still did not deploy it in my environment until fixes would be released.

Regards,
Krzysztof
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question