Solution for Problem in Change Password after Windows Security Update

Solution for Problem in Change Password after Windows Security Update

Hello All,

As some of our users reported here, there is an issue in the change password feature of ADSelfService 
Plus after Windows Security Update.

End users trying to change their passwords will receive the message "Problem in change password". 
The logs will have the entry "{ERROR_CODE=800704f1, 
ERROR_MESSAGE=adssp.native.err.changepassword, ERROR_SEVERITY=SEVERE} 

This issue is caused by Windows update that was released few days ago.
 
Note: This issue is not specific to the 5315 build and is not due to any changes made in ADSelfService 
Plus.  As discussed in the Known issues section here, Microsoft intended to prevent the ability to change passwords of disabled or locked-out accounts by NTLM authentication but instead prevented it for active user accounts too. As a result, users are not able to change their passwords using ADSelfService Plus.

You can resolve this issue using any one of the following solutions posted.

Fix 1: Enable LDAPS
 
With LDAPS enabled, the change password feature should work again without any issue. Follow the steps given below to enable LDAPS in ADSelfService Plus:

1.Open the ADSelfService Plus admin console and navigate to Admin > Product Settings >Connections. 
2.Select Use LDAP SSL (LDAPS) option. 
3.Click Save. 
4.After enabling LDAPS, you have to install your domain controller certificate in the machine where ADSelfService Plus is installed.

Please follow the steps given in the link below to enable LDAPS for domain controller: 


 

Fix 2: Patch

Note: This patch requires Windows PowerShell 2.0 to be installed on the machine where ADSelfService Plus is installed. All Windows versions from Windows 7 and Windows 2008R2 will have Windows Powershell 2.0 installed by default.

The default HTTP port for WinRM 2.0 (5985) should be opened on the firewall.

If you are running ADSelfService Plus on the lower version of Windows then please contact our support team (support@adselfserviceplus.com)


The below patch is only for the build 5315. So please upgrade ADSelfService Plus to the latest build 5315 as given in this link then apply the patch. If you are above the build 5315 then this is not required.


Steps to apply the patch:


* Stop "ManageEngineADSelfService Plus" service.


* Take a back up of the files "AdventNetADSMServer.jar" as "AdventNetADSMServer.jar_bak" and        "AdventNetADSMClient.jar" as "AdventNetADSMClient.jar_bak" which are located at

   "<installation_dir>\ ManageEngine\ ADSelfService Plus\lib" to a different location.

 

* Please extract the patch files "AdventNetADSMServer.jar" and "AdventNetADSMClient.jar" files        from the below link and place it on the above-mentioned location.


      Patch Download Link

 

* Start "ManageEngineADSelfService Plus" service.


* Execute the following PowerShell cmdlets with administrator privileges: 
  
i) Cmdlets to be executed on the domain controller (preferably the first dc in the list) configured in the
    domain settings of ADSelfService Plus: 
 
   Enable-PSRemoting -Force
   
   Set-Item wsman:/localhost/client/TrustedHosts "ADSelfServicePlus-Server-Name" -Force 

   Restart-Service WinRM 
 
 
ii) Cmdlets to be executed on the machine where ADSelfService Plus is installed: 

    Enable-PSRemoting -Force

    Set-Item wsman:/localhost/client/TrustedHosts "DC-Name" -Force

    Restart-Service WinRM

To check whether the cmdlets were executed successfully, run the following command in the machine  
where ADSelfService Plus is installed:

Invoke-Command -ComputerName DC-Name -ScriptBlock { ipconfig } -credential $Cred  
 
This command should print the IP details of the domain controller.


 Fix 3: Uninstall the Windows update which caused the issue (not recommended)

You need to remove the Windows update that caused this issue from the machine where ADSelfService 
Plus is installed . You can identify the exact update that needs to be uninstalled based on the operating 
system by visiting this link.

E.g.: For Windows 8.1, search for the updates KB3177108 and KB3167679, and uninstall them.
 
Steps to uninstall the Windows update.
1.Navigate to Control Panel > Programs, and then under Programs and Features, select View installed 
   updates. 
2.Search for the specific updates, and then click Uninstall.
3. Restart the server.

Regards,
ADSelfService Plus Team
Toll Free: +1-888-720-9500            
Direct: +1-408-916-9890
Self Service Password Management Solution