我正在运行一个更改用户密码的ASP.NET应用程序。 PasswordException“指定的网络密码不正确。”每次调用ChangePassword方法时都会抛出,即使当前密码已经过验证。
如果我输入无效的当前密码,则会抛出异常。这是预期的结果。
如果我输入有效当前密码,则会抛出异常,但密码仍会更改(我已经测试过更改后立即对其进行验证)。
代码非常简单:
var context = new PrincipalContext(ContextType.Domain, "domain.net");
var valid = context.ValidateCredentials(username, oldPassword);
var userPrincipal = UserPrincipal.FindByIdentity(context, username);
userPrincipal.ChangePassword(oldPassword, newPassword);
这会导致每次抛出以下异常,无论当前密码是否正确:
System.DirectoryServices.AccountManagement.PasswordException: The specified network password is not correct. (Exception from HRESULT: 0x80070056) ---> System.Runtime.InteropServices.COMException: The specified network password is not correct. (Exception from HRESULT: 0x80070056)
--- End of inner exception stack trace ---
at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
at StudentAccountManager.ChangeUserPassword(String username, String oldPassword, String newPassword)
有用的信息:
我最好的猜测是,凭据验证和发送更改密码请求存在时间问题。是否有可能针对尚未收到更改密码请求的域控制器验证新凭据?这将导致抛出异常,但密码仍在更改。
答案 0 :(得分:4)
有一个类似的问题,并认为它与MS16-014 https://support.microsoft.com/en-us/kb/3134228有关 - 它确实在这个KB中说明存在问题 - (“例如,当您尝试更改&#时可能会出现问题34;域B"来自加入"域A"以及从域A到域B的信任的计算机的密码未配置。“)但它被列为kb3126041的问题
我需要在受影响的系统上删除以下更新
kb3126593 kb3126587
操作系统:Windows 2008 R2 SP1
希望这有帮助。
答案 1 :(得分:3)
微软有一个修复: {/ 3}}适用于8.1 / 2012R2和 {/ 3}}适用于7 / 2008R2。
这些补丁消除了删除旧更新的需要 - 到目前为止我已经在2个案例中看到了这一点。
那就是说,Ben绝对正确 - 根据你的系统,你可能还需要删除:
3135173
3135174
3126593
3126041
3126587
3126434
这些列在:http://support.microsoft.com/en-us/kb/3139921
中查看我的评论。
答案 2 :(得分:1)
我有一个Web应用程序服务器,它在ChangePassword对象上调用System.DirectoryServices.AccountManagement.AuthenticablePrincipal方法。当前密码和新密码字段已正确填充,并由经过身份验证的用户发送到ChangePassword方法。
就我而言:
我的代码如下:
public bool ChangePassword(string username, string oldPassword, string newPassword, out ActiveDirectoryMembership.LogonError changePasswordLogonError)
{
try
{
using (var context = new PrincipalContext(ContextType.Domain, DomainServer, _ldapUsername, _ldapPassword))
{
using (var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username))
{
user.ChangePassword(oldPassword, newPassword);
changePasswordLogonError = ActiveDirectoryMembership.LogonError.LogonSuccessful;
return true;
}
}
}
catch (PrincipalOperationException pex)
{
if ((ActiveDirectoryMembership.LogonError)(pex.ErrorCode) == ActiveDirectoryMembership.LogonError.AccountLockedOut)
{
changePasswordLogonError = ActiveDirectoryMembership.LogonError.AccountLockedOut;
return false;
}
else
throw;
}
catch (PasswordException pwdEx)
{
Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.ExceptionPolicy.HandleException(pwdEx, Policies.WARNING_EXCEPTION_POLICY_NAME);
//Look at the error message and attempt to parse out the HRESULT and map it to our LogonError enum
//A complete list of Network Management Error codes is available here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa370674(v=vs.85).aspx
//The HRESULT is a hex value which will need to be converted to an int in order to be matched against the list of Error code values
if (pwdEx.Message.Contains("HRESULT: 0x80070056"))
changePasswordLogonError = ActiveDirectoryMembership.LogonError.LogonFailure;
else if (pwdEx.Message.Contains("HRESULT: 0x800708C5"))
changePasswordLogonError = ActiveDirectoryMembership.LogonError.PasswordDoesNotMeetComplexityRequirements;
else
throw;
return false;
}
catch (Exception)
{
throw;
}
}
我的应用程序服务器安装了所有修补程序,这些修补程序在Microsoft安全公告MS16-014中引用。安装KB3126041后,当用户尝试更改其密码时,将引发以下异常,但密码将成功更改。此外,用户可以通过应用程序使用OLD和NEW密码登录!
Timestamp: 2016-03-08 12:39:55.033
Message: HandlingInstanceID: cd253adb-1e51-489a-8cf5-870568fb26ff
An exception of type 'System.DirectoryServices.AccountManagement.PasswordException' occurred and was caught.
------------------------------------------------------------------------------------------------------------
03/08/2016 12:39:54
Type : System.DirectoryServices.AccountManagement.PasswordException, System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : The specified network password is not correct. (Exception from HRESULT: 0x80070056)
Source : System.DirectoryServices.AccountManagement
Help link :
Data : System.Collections.ListDictionaryInternal
TargetSite : Void ChangePassword(System.DirectoryServices.DirectoryEntry, System.String, System.String)
HResult : -2146233087
Stack Trace : at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.PasswordInfo.ChangePassword(String oldPassword, String newPassword)
at System.DirectoryServices.AccountManagement.AuthenticablePrincipal.ChangePassword(String oldPassword, String newPassword)
at MyApplication.Web.UI.Infrastructure.ActiveDirectoryMembershipProvider.ChangePassword(String username, String oldPassword, String newPassword, LogonError& changePasswordLogonError)
Additional Info:
MachineName : SOME-SERVER
TimeStamp : 3/8/2016 5:39:55 PM
FullName : Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=3.1.0.0, Culture=neutral, PublicKeyToken=null
AppDomainName : /LM/W3SVC/1/ROOT-3-131019323428219091
ThreadIdentity :
WindowsIdentity : DOMAIN\App-Pool-Username
Inner Exception
---------------
Type : System.Runtime.InteropServices.COMException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : The specified network password is not correct. (Exception from HRESULT: 0x80070056)
Source :
Help link :
ErrorCode : -2147024810
Data : System.Collections.ListDictionaryInternal
TargetSite :
HResult : -2147024810
Stack Trace : The stack trace is unavailable.
我们从应用服务器上删除了KB3126041,并且一切都很精细!