Reputation: 151
"The specified network password is not correct." exception when changing a users password
I am running an ASP.NET application that changes a user's password. The PasswordException "The specified network password is not correct." is getting thrown every time the ChangePassword method is called, even when the current password has been validated.
If I enter in an invalid current password, the exception gets thrown. This is the expected result.
If I enter in a valid current password, the exception gets thrown, but the password still gets changed (I've tested validating it immediately after the change).
The code is very simple:
var context = new PrincipalContext(ContextType.Domain, "domain.net");
var valid = context.ValidateCredentials(username, oldPassword);
var userPrincipal = UserPrincipal.FindByIdentity(context, username);
userPrincipal.ChangePassword(oldPassword, newPassword);
This results in the following exception being thrown every time, regardless if the current password is correct or not:
System.DirectoryServices.AccountManagement.PasswordException: The specified network password is not correct. (Exception from HRESULT: 0x80070056) ---> System.Runtime.InteropServices.COMException: The specified network password is not correct. (Exception from HRESULT: 0x80070056)
--- End of inner exception stack trace ---
at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
at StudentAccountManager.ChangeUserPassword(String username, String oldPassword, String newPassword)
Useful information:
- The domain that the website is hosted on (ex. webdomain.net) is a different domain than the password change is being done against.
- There are three domain controllers in domain.net, one of which is read only.
- Two of the domain controllers are on-site. The other is off-site. The PDC is on-site.
- If any of the specific domain controllers (ex. dc1.domain.net, dc2.domain.net) is used in the PrincipalContext, everything works fine (all three have been tested).
- The userPrincipal.SetPassword method works correctly when domain.net is specified in the PrincipalContext.
- The user account running the application pool has permissions to change and set the password on domain.net
- There is a one way trust between the domains (domain.net trusts webdomain.net)
- The web server is running Windows Server 2012 R2, the domain controllers on domain.net are Windows Server 2008 R2
My best guess is that there is a timing issue with a credential validation and the change password request being sent. Is it possible that the new credentials are being validated against a domain controller that hasn't received the request to change the password? This would result in the exception being thrown, but the password still being changed.
Upvotes: 5
Views: 13649
Answers (3)
Reputation: 71
Microsoft has a fix: http://support.microsoft.com/en-us/kb/3139921 for 8.1/2012R2 and http://support.microsoft.com/en-us/kb/3140410 for 7/2008R2.
These patches eliminate the need to remove the older updates-- I have seen this in 2 cases thus far.
That said, Ben is absolutely right-- depending on your system you may also need to remove:
3135173
3135174
3126593
3126041
3126587
3126434
These are listed in: https://support.microsoft.com/en-us/kb/3134228
See my comment.
Upvotes: 3
Reputation: 3970
I had a web application server which was calling the ChangePassword method on the System.DirectoryServices.AccountManagement.AuthenticablePrincipal object. The current password and new password fields were properly populated and being sent in to ChangePassword method by an authenticated user.
In my case:
- I was not going across domains; my web application server is on the same domain.
- We had two domain controller; both on the local network.
- The web server is running Windows Server 2012 R2; I am unsure of the OS of the domain controllers.
My code is as follows:
public bool ChangePassword(string username, string oldPassword, string newPassword, out ActiveDirectoryMembership.LogonError changePasswordLogonError)
{
try
{
using (var context = new PrincipalContext(ContextType.Domain, DomainServer, _ldapUsername, _ldapPassword))
{
using (var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username))
{
user.ChangePassword(oldPassword, newPassword);
changePasswordLogonError = ActiveDirectoryMembership.LogonError.LogonSuccessful;
return true;
}
}
}
catch (PrincipalOperationException pex)
{
if ((ActiveDirectoryMembership.LogonError)(pex.ErrorCode) == ActiveDirectoryMembership.LogonError.AccountLockedOut)
{
changePasswordLogonError = ActiveDirectoryMembership.LogonError.AccountLockedOut;
return false;
}
else
throw;
}
catch (PasswordException pwdEx)
{
Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.ExceptionPolicy.HandleException(pwdEx, Policies.WARNING_EXCEPTION_POLICY_NAME);
//Look at the error message and attempt to parse out the HRESULT and map it to our LogonError enum
//A complete list of Network Management Error codes is available here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa370674(v=vs.85).aspx
//The HRESULT is a hex value which will need to be converted to an int in order to be matched against the list of Error code values
if (pwdEx.Message.Contains("HRESULT: 0x80070056"))
changePasswordLogonError = ActiveDirectoryMembership.LogonError.LogonFailure;
else if (pwdEx.Message.Contains("HRESULT: 0x800708C5"))
changePasswordLogonError = ActiveDirectoryMembership.LogonError.PasswordDoesNotMeetComplexityRequirements;
else
throw;
return false;
}
catch (Exception)
{
throw;
}
}
My application server had all of the patches installed which are referenced in Microsoft Security Bulletin MS16-014. With KB3126041 installed, when a user attempted to change their password the following exception would be thrown, however the password would be changed successfully. Additionally, the user would be able to logon with both the OLD and NEW password via the application!
Timestamp: 2016-03-08 12:39:55.033
Message: HandlingInstanceID: cd253adb-1e51-489a-8cf5-870568fb26ff
An exception of type 'System.DirectoryServices.AccountManagement.PasswordException' occurred and was caught.
------------------------------------------------------------------------------------------------------------
03/08/2016 12:39:54
Type : System.DirectoryServices.AccountManagement.PasswordException, System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : The specified network password is not correct. (Exception from HRESULT: 0x80070056)
Source : System.DirectoryServices.AccountManagement
Help link :
Data : System.Collections.ListDictionaryInternal
TargetSite : Void ChangePassword(System.DirectoryServices.DirectoryEntry, System.String, System.String)
HResult : -2146233087
Stack Trace : at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.PasswordInfo.ChangePassword(String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.AuthenticablePrincipal.ChangePassword(String oldPassword, String newPassword)
at MyApplication.Web.UI.Infrastructure.ActiveDirectoryMembershipProvider.ChangePassword(String username, String oldPassword, String newPassword, LogonError& changePasswordLogonError)
Additional Info:
MachineName : SOME-SERVER
TimeStamp : 3/8/2016 5:39:55 PM
FullName : Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=3.1.0.0, Culture=neutral, PublicKeyToken=null
AppDomainName : /LM/W3SVC/1/ROOT-3-131019323428219091
ThreadIdentity :
WindowsIdentity : DOMAIN\App-Pool-Username
Inner Exception
---------------
Type : System.Runtime.InteropServices.COMException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : The specified network password is not correct. (Exception from HRESULT: 0x80070056)
Source :
Help link :
ErrorCode : -2147024810
Data : System.Collections.ListDictionaryInternal
TargetSite :
HResult : -2147024810
Stack Trace : The stack trace is unavailable.
WE REMOVED KB3126041 FROM THE APPLICATION SERVER AND ALL WAS FINE!
Upvotes: 1
Reputation: 66
Had a similar problem and believe Its related to MS16-014 https://support.microsoft.com/en-us/kb/3134228 - it does actually state in this KB there is a problem – (“For example, the problem can occur when you try to change your "domain B" password from a computer that is joined to "domain A" and trust from domain A to Domain B is not configured.”) but its listed as a problem to kb3126041
The following updates needed to be removed on my affected system
kb3126593 kb3126587
OS: Windows 2008 R2 SP1
Hope this helps.
Upvotes: 5
Related Questions
- Your password does not satisfy the current policy requirements
- UserPrincipal with context that uses SSL
- "The specified network password is not correct" exception in X509Certificate2 constructor
- When does domain controller machine account NOT have permissions to change password
- Oracle proxy users - any way of stopping them from changing client user password?
- Principalcontext error Server names cannot cotain a space character
- Access Denied using Impersonation with ASP.NET Directory Services
- Access Denied when trying to change password from c#