LDAP Change password: Exception from HRESULT: 0x80070547

1

I am trying to run my password change application from a non domain joined machine. The code works fine when run from domain joined machine. So now, I am connecting to the AD with direct LDAP connection via SSL. After changepassword method is invoked, I am getting an error:

Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. (Exception from HRESULT: 0x80070547).

I am making the connection and running the application using a service account with permission to change user passwords.

string adminUser = Domain + @"\" + AdminUserName;
string adminPass = AdminUserPassword;
string ldapString = LDAPString;

DirectoryEntry de = new DirectoryEntry(ldapString, adminUser, adminPass, AuthenticationTypes.Secure);
DirectorySearcher deSearch = new DirectorySearcher(de) { SearchRoot = de, Filter = "(&(objectCategory=user)(cn=" + userName + "))" };

SearchResult result = deSearch.FindOne();

if (result != null)
{
    var adContext = new PrincipalContext(ContextType.Domain);
    currentdc = adContext.ConnectedServer;

    DirectoryEntry userEntry = result.GetDirectoryEntry();

    if (userEntry != null)
    {
        userEntry.Invoke("ChangePassword", new object[] { OldPassword, NewPassword });
    }
}
c#
asp.net
active-directory
ldap
asked on Stack Overflow Nov 8, 2019 by Sam • edited Nov 8, 2019 by Brett Caswell

1 Answer

1

Invoking ChangePassword, calls IADsUser::ChangePassword. That documentation says it works much the same as IADsUser::SetPassword. That documentation has more information. Really, only the first method would work when you're running this from outside the domain:

First, the LDAP provider attempts to use LDAP over a 128-bit SSL connection. For LDAP SSL to operate successfully, the LDAP server must have the appropriate server authentication certificate installed and the clients running the ADSI code must trust the authority that issued those certificates. Both the server and the client must support 128-bit encryption.

I assume your LDAPString is in the format LDAP://example.com:636 (the :636 being the important part). If you can read data like that, then the SSL certificate is trusted. So that's good.

The only maybe missing piece could be 128-bit encryption? Check the certificate and see if it's maybe using less than 128-bit. Although I'd be surprised if it did.

This answer has a short snippet of code that you can use to download a certificate from any site: https://stackoverflow.com/a/22251597/1202807

Just use "https://example.com:636" as the "website".

There is also this:

In Active Directory, the caller must have the Change Password extended control access right to change the password with this method.

You should make sure that the user account you are authenticating to LDAP with does have the Change Password permission on the account you are trying to update. In our environment, Everyone has the Change Password permission (since you still need to provide the old password to do it). I think that's the default, but it's worth checking.

answered on Stack Overflow Nov 8, 2019 by Gabriel Luci • edited Nov 8, 2019 by Gabriel Luci

User contributions licensed under CC BY-SA 3.0