Solution for Problem in Change Password after Windows Security Update

Hello All,

As some of our users reported here, there is an issue in the change password feature of ADSelfService

Plus after Windows Security Update.

End users trying to change their passwords will receive the message "Problem in change password".

The logs will have the entry "{ERROR_CODE=800704f1,

ERROR_MESSAGE=adssp.native.err.changepassword, ERROR_SEVERITY=SEVERE}

This issue is caused by Windows update that was released few days ago.

Note: This issue is not specific to the 5315 build and is not due to any changes made in ADSelfService

Plus. As discussed in the Known issues section here, Microsoft intended to prevent the ability to change passwords of disabled or locked-out accounts by NTLM authentication but instead prevented it for active user accounts too. As a result, users are not able to change their passwords using ADSelfService Plus.

You can resolve this issue using any one of the following solutions posted.

Fix 1: Enable LDAPS

With LDAPS enabled, the change password feature should work again without any issue. Follow the steps given below to enable LDAPS in ADSelfService Plus:

1.Open the ADSelfService Plus admin console and navigate to Admin > Product Settings >Connections.

2.Select Use LDAP SSL (LDAPS) option.

3.Click Save.

4.After enabling LDAPS, you have to install your domain controller certificate in the machine where ADSelfService Plus is installed.

Please follow the steps given in the link below to enable LDAPS for domain controller:

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Fix 2: Patch

Note: This patch requires Windows PowerShell 2.0 to be installed on the machine where ADSelfService Plus is installed. All Windows versions from Windows 7 and Windows 2008R2 will have Windows Powershell 2.0 installed by default.

The default HTTP port for WinRM 2.0 (5985) should be opened on the firewall.

If you are running ADSelfService Plus on the lower version of Windows then please contact our support team (support@adselfserviceplus.com)

The below patch is only for the build 5315. So please upgrade ADSelfService Plus to the latest build 5315 as given in this link then apply the patch. If you are above the build 5315 then this is not required.

Steps to apply the patch:

* Stop "ManageEngineADSelfService Plus" service.

* Take a back up of the files "AdventNetADSMServer.jar" as "AdventNetADSMServer.jar_bak" and "AdventNetADSMClient.jar" as "AdventNetADSMClient.jar_bak" which are located at

"<installation_dir>\ ManageEngine\ ADSelfService Plus\lib" to a different location.

* Please extract the patch files "AdventNetADSMServer.jar" and "AdventNetADSMClient.jar" files from the below link and place it on the above-mentioned location.

Patch Download Link

* Start "ManageEngineADSelfService Plus" service.

* Execute the following PowerShell cmdlets with administrator privileges:

i) Cmdlets to be executed on the domain controller (preferably the first dc in the list) configured in the

domain settings of ADSelfService Plus:

Enable-PSRemoting -Force

Set-Item wsman:/localhost/client/TrustedHosts "ADSelfServicePlus-Server-Name" -Force

Restart-Service WinRM

ii) Cmdlets to be executed on the machine where ADSelfService Plus is installed:

Enable-PSRemoting -Force

Set-Item wsman:/localhost/client/TrustedHosts "DC-Name" -Force

Restart-Service WinRM