"The specified network password is not correct." exception when changing a users password

Question

I am running an ASP.NET application that changes a user's password. The PasswordException "The specified network password is not correct." is getting thrown every time the ChangePassword method is called, even when the current password has been validated.

If I enter in an invalid current password, the exception gets thrown. This is the expected result.

If I enter in a valid current password, the exception gets thrown, but the password still gets changed (I've tested validating it immediately after the change).

The code is very simple:

var context = new PrincipalContext(ContextType.Domain, "domain.net");
var valid = context.ValidateCredentials(username, oldPassword);
var userPrincipal = UserPrincipal.FindByIdentity(context, username);
userPrincipal.ChangePassword(oldPassword, newPassword);

This results in the following exception being thrown every time, regardless if the current password is correct or not:

System.DirectoryServices.AccountManagement.PasswordException: The specified network password is not correct. (Exception from HRESULT: 0x80070056) ---> System.Runtime.InteropServices.COMException: The specified network password is not correct. (Exception from HRESULT: 0x80070056)
 --- End of inner exception stack trace ---
 at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
 at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
 at StudentAccountManager.ChangeUserPassword(String username, String oldPassword, String newPassword)

Useful information:

• The domain that the website is hosted on (ex. webdomain.net) is a different domain than the password change is being done against.
• There are three domain controllers in domain.net, one of which is read only.
• Two of the domain controllers are on-site. The other is off-site. The PDC is on-site.
• If any of the specific domain controllers (ex. dc1.domain.net, dc2.domain.net) is used in the PrincipalContext, everything works fine (all three have been tested).
• The userPrincipal.SetPassword method works correctly when domain.net is specified in the PrincipalContext.
• The user account running the application pool has permissions to change and set the password on domain.net
• There is a one way trust between the domains (domain.net trusts webdomain.net)
• The web server is running Windows Server 2012 R2, the domain controllers on domain.net are Windows Server 2008 R2

My best guess is that there is a timing issue with a credential validation and the change password request being sent. Is it possible that the new credentials are being validated against a domain controller that hasn't received the request to change the password? This would result in the exception being thrown, but the password still being changed.

Answer 1

Had a similar problem and believe Its related to MS16-014 https://support.microsoft.com/en-us/kb/3134228 - it does actually state in this KB there is a problem – (“For example, the problem can occur when you try to change your "domain B" password from a computer that is joined to "domain A" and trust from domain A to Domain B is not configured.”) but its listed as a problem to kb3126041

The following updates needed to be removed on my affected system

kb3126593 kb3126587

OS: Windows 2008 R2 SP1

Hope this helps.

Answer 2

Microsoft has a fix: http://support.microsoft.com/en-us/kb/3139921 for 8.1/2012R2 and http://support.microsoft.com/en-us/kb/3140410 for 7/2008R2.

These patches eliminate the need to remove the older updates-- I have seen this in 2 cases thus far.

That said, Ben is absolutely right-- depending on your system you may also need to remove:

3135173 
3135174 
3126593
3126041 
3126587 
3126434 

These are listed in: https://support.microsoft.com/en-us/kb/3134228

See my comment.