All geek questions in one place

Msgstr "The specified network password is invalid." exception when changing user password

I am running an ASP.NET application that changes the user password. PasswordException "The specified network password is invalid." called every time the ChangePassword method is called, even if the current password has been verified.

If I enter an invalid current password, an exception is thrown. This is the expected result.

If I enter the current current password , an exception will be thrown , but the password will still be changed (I checked its verification immediately after the change).

The code is very simple:

var context = new PrincipalContext(ContextType.Domain, "domain.net");
var valid = context.ValidateCredentials(username, oldPassword);
var userPrincipal = UserPrincipal.FindByIdentity(context, username);
userPrincipal.ChangePassword(oldPassword, newPassword);

The result is the following exception, which is thrown every time, regardless of whether the current password is correct or not:

System.DirectoryServices.AccountManagement.PasswordException: The specified network password is not correct. (Exception from HRESULT: 0x80070056) ---> System.Runtime.InteropServices.COMException: The specified network password is not correct. (Exception from HRESULT: 0x80070056)
 --- End of inner exception stack trace ---
 at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
 at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
 at StudentAccountManager.ChangeUserPassword(String username, String oldPassword, String newPassword)

Helpful information:

  • , - (, webdomain.net), , .
  • domain.net , .
  • . - . PDC .
  • PrincipalContext - (, dc1.domain.net, dc2.domain.net), ( ).
  • userPrincipal.SetPassword , domain.net PrincipalContext.
  • , , .
  • (domain.net trusts webdomain.net)
  • - Windows Server 2012 R2, - Windows Server 2008 R2

, . , , ? , .

+4
3

, MS16-014 https://support.microsoft.com/en-us/kb/3134228 - , - ( ", " B " , " A ", A B ." ), kb3126041

kb3126593 kb3126587

: Windows 2008 R2 SP1

, .

+4

Microsoft : http://support.microsoft.com/en-us/kb/3139921 8.1/2012R2 http://support.microsoft.com/en-us/kb/3140410 7/2008R2.

. .

, - :

3135173 
3135174 
3126593
3126041 
3126587 
3126434

: https://support.microsoft.com/en-us/kb/3134228

.

+3

-, ChangePassword System.DirectoryServices.AccountManagement.AuthenticablePrincipal. ChangePassword .

:

  • ; - .
  • ; .
  • - Windows Server 2012 R2; .

:

public bool ChangePassword(string username, string oldPassword, string newPassword, out ActiveDirectoryMembership.LogonError changePasswordLogonError)
{

    try
    {
        using (var context = new PrincipalContext(ContextType.Domain, DomainServer, _ldapUsername, _ldapPassword))
        {

            using (var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username))
            {
                user.ChangePassword(oldPassword, newPassword);
                changePasswordLogonError = ActiveDirectoryMembership.LogonError.LogonSuccessful;
                return true;
            }
        }

    }

    catch (PrincipalOperationException pex)
    {
        if ((ActiveDirectoryMembership.LogonError)(pex.ErrorCode) == ActiveDirectoryMembership.LogonError.AccountLockedOut)
        {
            changePasswordLogonError = ActiveDirectoryMembership.LogonError.AccountLockedOut;
            return false;
        }

        else
            throw;
    }
    catch (PasswordException pwdEx)
    {
        Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.ExceptionPolicy.HandleException(pwdEx, Policies.WARNING_EXCEPTION_POLICY_NAME);

        //Look at the error message and attempt to parse out the HRESULT and map it to our LogonError enum
        //A complete list of Network Management Error codes is available here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa370674(v=vs.85).aspx
        //The HRESULT is a hex value which will need to be converted to an int in order to be matched against the list of Error code values
        if (pwdEx.Message.Contains("HRESULT: 0x80070056"))
            changePasswordLogonError = ActiveDirectoryMembership.LogonError.LogonFailure;
        else if (pwdEx.Message.Contains("HRESULT: 0x800708C5"))
            changePasswordLogonError = ActiveDirectoryMembership.LogonError.PasswordDoesNotMeetComplexityRequirements;
        else
            throw;

        return false;
    }
    catch (Exception)
    {
        throw;
    }

}

All the fixes that are listed in Microsoft Security Bulletin MS16-014 were installed on my application server . When KB3126041 is installed, when the user tries to change his password, the following exception will be thrown, but the password will be successfully changed. In addition, the user will be able to log in with the OLD and NEW password through the app!

Timestamp: 2016-03-08 12:39:55.033
Message: HandlingInstanceID: cd253adb-1e51-489a-8cf5-870568fb26ff
An exception of type 'System.DirectoryServices.AccountManagement.PasswordException' occurred and was caught.
------------------------------------------------------------------------------------------------------------
03/08/2016 12:39:54
Type : System.DirectoryServices.AccountManagement.PasswordException, System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : The specified network password is not correct. (Exception from HRESULT: 0x80070056)
Source : System.DirectoryServices.AccountManagement
Help link : 
Data : System.Collections.ListDictionaryInternal
TargetSite : Void ChangePassword(System.DirectoryServices.DirectoryEntry, System.String, System.String)
HResult : -2146233087
Stack Trace :    at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.PasswordInfo.ChangePassword(String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.AuthenticablePrincipal.ChangePassword(String oldPassword, String newPassword)
   at MyApplication.Web.UI.Infrastructure.ActiveDirectoryMembershipProvider.ChangePassword(String username, String oldPassword, String newPassword, LogonError& changePasswordLogonError)

Additional Info:

MachineName : SOME-SERVER
TimeStamp : 3/8/2016 5:39:55 PM
FullName : Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=3.1.0.0, Culture=neutral, PublicKeyToken=null
AppDomainName : /LM/W3SVC/1/ROOT-3-131019323428219091
ThreadIdentity : 
WindowsIdentity : DOMAIN\App-Pool-Username
    Inner Exception
    ---------------
    Type : System.Runtime.InteropServices.COMException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
    Message : The specified network password is not correct. (Exception from HRESULT: 0x80070056)
    Source : 
    Help link : 
    ErrorCode : -2147024810
    Data : System.Collections.ListDictionaryInternal
    TargetSite : 
    HResult : -2147024810
    Stack Trace : The stack trace is unavailable.

WE REDUCED KB3126041 FROM SILVER FOR APPLICATION AND EVERYTHING WAS QUICKLY!

+1
source

Source: https://habr.com/ru/post/1626023/

More articles:


All Articles