"The specified network password is not correct." exception when changing a users password

5

I am running an ASP.NET application that changes a user's password. The PasswordException "The specified network password is not correct." is getting thrown every time the ChangePassword method is called, even when the current password has been validated.

If I enter in an invalid current password, the exception gets thrown. This is the expected result.

If I enter in a valid current password, the exception gets thrown, but the password still gets changed (I've tested validating it immediately after the change).

The code is very simple:

var context = new PrincipalContext(ContextType.Domain, "domain.net");
var valid = context.ValidateCredentials(username, oldPassword);
var userPrincipal = UserPrincipal.FindByIdentity(context, username);
userPrincipal.ChangePassword(oldPassword, newPassword);

This results in the following exception being thrown every time, regardless if the current password is correct or not:

System.DirectoryServices.AccountManagement.PasswordException: The specified network password is not correct. (Exception from HRESULT: 0x80070056) ---> System.Runtime.InteropServices.COMException: The specified network password is not correct. (Exception from HRESULT: 0x80070056)
 --- End of inner exception stack trace ---
 at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
 at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
 at StudentAccountManager.ChangeUserPassword(String username, String oldPassword, String newPassword)

Useful information:

  • The domain that the website is hosted on (ex. webdomain.net) is a different domain than the password change is being done against.
  • There are three domain controllers in domain.net, one of which is read only.
  • Two of the domain controllers are on-site. The other is off-site. The PDC is on-site.
  • If any of the specific domain controllers (ex. dc1.domain.net, dc2.domain.net) is used in the PrincipalContext, everything works fine (all three have been tested).
  • The userPrincipal.SetPassword method works correctly when domain.net is specified in the PrincipalContext.
  • The user account running the application pool has permissions to change and set the password on domain.net
  • There is a one way trust between the domains (domain.net trusts webdomain.net)
  • The web server is running Windows Server 2012 R2, the domain controllers on domain.net are Windows Server 2008 R2

My best guess is that there is a timing issue with a credential validation and the change password request being sent. Is it possible that the new credentials are being validated against a domain controller that hasn't received the request to change the password? This would result in the exception being thrown, but the password still being changed.

c#
asp.net
active-directory
passwords
asked on Stack Overflow Jan 26, 2016 by ddechant • edited Jan 26, 2016 by ddechant

3 Answers

5

Had a similar problem and believe Its related to MS16-014 https://support.microsoft.com/en-us/kb/3134228 - it does actually state in this KB there is a problem – (“For example, the problem can occur when you try to change your "domain B" password from a computer that is joined to "domain A" and trust from domain A to Domain B is not configured.”) but its listed as a problem to kb3126041

The following updates needed to be removed on my affected system

kb3126593 kb3126587

OS: Windows 2008 R2 SP1

Hope this helps.

answered on Stack Overflow Mar 7, 2016 by Ben
3

Microsoft has a fix: http://support.microsoft.com/en-us/kb/3139921 for 8.1/2012R2 and http://support.microsoft.com/en-us/kb/3140410 for 7/2008R2.

These patches eliminate the need to remove the older updates-- I have seen this in 2 cases thus far.

That said, Ben is absolutely right-- depending on your system you may also need to remove:

3135173 
3135174 
3126593
3126041 
3126587 
3126434

These are listed in: https://support.microsoft.com/en-us/kb/3134228

See my comment.

answered on Stack Overflow Mar 7, 2016 by robertpb • edited Mar 21, 2016 by robertpb
1

I had a web application server which was calling the ChangePassword method on the System.DirectoryServices.AccountManagement.AuthenticablePrincipal object. The current password and new password fields were properly populated and being sent in to ChangePassword method by an authenticated user.

In my case:

  • I was not going across domains; my web application server is on the same domain.
  • We had two domain controller; both on the local network.
  • The web server is running Windows Server 2012 R2; I am unsure of the OS of the domain controllers.

My code is as follows:

public bool ChangePassword(string username, string oldPassword, string newPassword, out ActiveDirectoryMembership.LogonError changePasswordLogonError)
{

    try
    {
        using (var context = new PrincipalContext(ContextType.Domain, DomainServer, _ldapUsername, _ldapPassword))
        {

            using (var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username))
            {
                user.ChangePassword(oldPassword, newPassword);
                changePasswordLogonError = ActiveDirectoryMembership.LogonError.LogonSuccessful;
                return true;
            }
        }

    }

    catch (PrincipalOperationException pex)
    {
        if ((ActiveDirectoryMembership.LogonError)(pex.ErrorCode) == ActiveDirectoryMembership.LogonError.AccountLockedOut)
        {
            changePasswordLogonError = ActiveDirectoryMembership.LogonError.AccountLockedOut;
            return false;
        }

        else
            throw;
    }
    catch (PasswordException pwdEx)
    {
        Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.ExceptionPolicy.HandleException(pwdEx, Policies.WARNING_EXCEPTION_POLICY_NAME);

        //Look at the error message and attempt to parse out the HRESULT and map it to our LogonError enum
        //A complete list of Network Management Error codes is available here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa370674(v=vs.85).aspx
        //The HRESULT is a hex value which will need to be converted to an int in order to be matched against the list of Error code values
        if (pwdEx.Message.Contains("HRESULT: 0x80070056"))
            changePasswordLogonError = ActiveDirectoryMembership.LogonError.LogonFailure;
        else if (pwdEx.Message.Contains("HRESULT: 0x800708C5"))
            changePasswordLogonError = ActiveDirectoryMembership.LogonError.PasswordDoesNotMeetComplexityRequirements;
        else
            throw;

        return false;
    }
    catch (Exception)
    {
        throw;
    }

}

My application server had all of the patches installed which are referenced in Microsoft Security Bulletin MS16-014. With KB3126041 installed, when a user attempted to change their password the following exception would be thrown, however the password would be changed successfully. Additionally, the user would be able to logon with both the OLD and NEW password via the application! 

Timestamp: 2016-03-08 12:39:55.033
Message: HandlingInstanceID: cd253adb-1e51-489a-8cf5-870568fb26ff
An exception of type 'System.DirectoryServices.AccountManagement.PasswordException' occurred and was caught.
------------------------------------------------------------------------------------------------------------
03/08/2016 12:39:54
Type : System.DirectoryServices.AccountManagement.PasswordException, System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : The specified network password is not correct. (Exception from HRESULT: 0x80070056)
Source : System.DirectoryServices.AccountManagement
Help link : 
Data : System.Collections.ListDictionaryInternal
TargetSite : Void ChangePassword(System.DirectoryServices.DirectoryEntry, System.String, System.String)
HResult : -2146233087
Stack Trace :    at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.PasswordInfo.ChangePassword(String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.AuthenticablePrincipal.ChangePassword(String oldPassword, String newPassword)
   at MyApplication.Web.UI.Infrastructure.ActiveDirectoryMembershipProvider.ChangePassword(String username, String oldPassword, String newPassword, LogonError& changePasswordLogonError)

Additional Info:

MachineName : SOME-SERVER
TimeStamp : 3/8/2016 5:39:55 PM
FullName : Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=3.1.0.0, Culture=neutral, PublicKeyToken=null
AppDomainName : /LM/W3SVC/1/ROOT-3-131019323428219091
ThreadIdentity : 
WindowsIdentity : DOMAIN\App-Pool-Username
    Inner Exception
    ---------------
    Type : System.Runtime.InteropServices.COMException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
    Message : The specified network password is not correct. (Exception from HRESULT: 0x80070056)
    Source : 
    Help link : 
    ErrorCode : -2147024810
    Data : System.Collections.ListDictionaryInternal
    TargetSite : 
    HResult : -2147024810
    Stack Trace : The stack trace is unavailable.

WE REMOVED KB3126041 FROM THE APPLICATION SERVER AND ALL WAS FINE!

answered on Stack Overflow Mar 8, 2016 by codechurn

User contributions licensed under CC BY-SA 3.0