I am running an ASP.NET application that changes a user's password. The PasswordException "The specified network password is not correct." is getting thrown every time the ChangePassword method is called, even when the current password has been validated.
If I enter in an invalid current password, the exception gets thrown. This is the expected result.
If I enter in a valid current password, the exception gets thrown, but the password still gets changed (I've tested validating it immediately after the change).
The code is very simple:
var context = new PrincipalContext(ContextType.Domain, "domain.net");
var valid = context.ValidateCredentials(username, oldPassword);
var userPrincipal = UserPrincipal.FindByIdentity(context, username);
userPrincipal.ChangePassword(oldPassword, newPassword);
This results in the following exception being thrown every time, regardless if the current password is correct or not:
System.DirectoryServices.AccountManagement.PasswordException: The specified network password is not correct. (Exception from HRESULT: 0x80070056) ---> System.Runtime.InteropServices.COMException: The specified network password is not correct. (Exception from HRESULT: 0x80070056)
--- End of inner exception stack trace ---
at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
at StudentAccountManager.ChangeUserPassword(String username, String oldPassword, String newPassword)
Useful information:
- The domain that the website is hosted on (ex. webdomain.net) is a different domain than the password change is being done against.
- There are three domain controllers in domain.net, one of which is read only.
- Two of the domain controllers are on-site. The other is off-site. The PDC is on-site.
- If any of the specific domain controllers (ex. dc1.domain.net, dc2.domain.net) is used in the PrincipalContext, everything works fine (all three have been tested).
- The userPrincipal.SetPassword method works correctly when domain.net is specified in the PrincipalContext.
- The user account running the application pool has permissions to change and set the password on domain.net
- There is a one way trust between the domains (domain.net trusts webdomain.net)
- The web server is running Windows Server 2012 R2, the domain controllers on domain.net are Windows Server 2008 R2
My best guess is that there is a timing issue with a credential validation and the change password request being sent. Is it possible that the new credentials are being validated against a domain controller that hasn't received the request to change the password? This would result in the exception being thrown, but the password still being changed.
Best Answer
Had a similar problem and believe Its related to MS16-014 https://support.microsoft.com/en-us/kb/3134228 - it does actually state in this KB there is a problem – (“For example, the problem can occur when you try to change your "domain B" password from a computer that is joined to "domain A" and trust from domain A to Domain B is not configured.”) but its listed as a problem to kb3126041
The following updates needed to be removed on my affected system
kb3126593 kb3126587
OS: Windows 2008 R2 SP1
Hope this helps.