Hello All,

As some of our users reported here, there is an issue in the change password feature of ADSelfService 
Plus after Windows Security Update.

End users trying to change their passwords will receive the message "Problem in change password". 
The logs will have the entry "{ERROR_CODE=800704f1, 
ERROR_MESSAGE=adssp.native.err.changepassword, ERROR_SEVERITY=SEVERE} 

This issue is caused by Windows update that was released few days ago.
 
Note: This issue is not specific to the 5315 build and is not due to any changes made in ADSelfService 
Plus.  As discussed in the Known issues section here, Microsoft intended to prevent the ability to change passwords of disabled or locked-out accounts by NTLM authentication but instead prevented it for active user accounts too. As a result, users are not able to change their passwords using ADSelfService Plus.

You can resolve this issue using any one of the following solutions posted.

Fix 1: Enable LDAPS
 
With LDAPS enabled, the change password feature should work again without any issue. Follow the steps given below to enable LDAPS in ADSelfService Plus:

1.Open the ADSelfService Plus admin console and navigate to Admin > Product Settings >Connections. 
2.Select Use LDAP SSL (LDAPS) option. 
3.Click Save. 
4.After enabling LDAPS, you have to install your domain controller certificate in the machine where ADSelfService Plus is installed.

Please follow the steps given in the link below to enable LDAPS for domain controller: 


 

Fix 2: Patch

Note: This patch requires Windows PowerShell 2.0 to be installed on the machine where ADSelfService Plus is installed. All Windows versions from Windows 7 and Windows 2008R2 will have Windows Powershell 2.0 installed by default.

The default HTTP port for WinRM 2.0 (5985) should be opened on the firewall.

If you are running ADSelfService Plus on the lower version of Windows then please contact our support team (support@adselfserviceplus.com)


The below patch is only for the build 5315. So please upgrade ADSelfService Plus to the latest build 5315 as given in this link then apply the patch. If you are above the build 5315 then this is not required.


Steps to apply the patch:


* Stop "ManageEngineADSelfService Plus" service.


* Take a back up of the files "AdventNetADSMServer.jar" as "AdventNetADSMServer.jar_bak" and        "AdventNetADSMClient.jar" as "AdventNetADSMClient.jar_bak" which are located at

   "<installation_dir>\ ManageEngine\ ADSelfService Plus\lib" to a different location.

 

* Please extract the patch files "AdventNetADSMServer.jar" and "AdventNetADSMClient.jar" files        from the below link and place it on the above-mentioned location.


      Patch Download Link

 

* Start "ManageEngineADSelfService Plus" service.


* Execute the following PowerShell cmdlets with administrator privileges: 
  
i) Cmdlets to be executed on the domain controller (preferably the first dc in the list) configured in the
    domain settings of ADSelfService Plus: 
 
   Enable-PSRemoting -Force
   
   Set-Item wsman:/localhost/client/TrustedHosts "ADSelfServicePlus-Server-Name" -Force 

   Restart-Service WinRM 
 
 
ii) Cmdlets to be executed on the machine where ADSelfService Plus is installed: 

    Enable-PSRemoting -Force

    Set-Item wsman:/localhost/client/TrustedHosts "DC-Name" -Force

    Restart-Service WinRM

To check whether the cmdlets were executed successfully, run the following command in the machine  
where ADSelfService Plus is installed:

Invoke-Command -ComputerName DC-Name -ScriptBlock { ipconfig } -credential $Cred  
 
This command should print the IP details of the domain controller.


 Fix 3: Uninstall the Windows update which caused the issue (not recommended)

You need to remove the Windows update that caused this issue from the machine where ADSelfService 
Plus is installed . You can identify the exact update that needs to be uninstalled based on the operating 
system by visiting this link.

E.g.: For Windows 8.1, search for the updates KB3177108 and KB3167679, and uninstall them.
 
Steps to uninstall the Windows update.
1.Navigate to Control Panel > Programs, and then under Programs and Features, select View installed 
   updates. 
2.Search for the specific updates, and then click Uninstall.
3. Restart the server.

Regards,
ADSelfService Plus Team
Toll Free: +1-888-720-9500            
Direct: +1-408-916-9890
Self Service Password Management Solution


Replies (10)

altallaawa 10 Laps
hi,

good day,

do you mean if we have latest ADself version 5315 no need to apply the steps in the system ,because I already upgrade to 5315.

thank you  
Hi Al,

As I have already mentioned in my post, this issue is not specific to the 5315 build, so I would request you to follow one of the solutions posted.

Regards,
ADSelfService Plus Team
Toll Free: +1-888-720-9500            
Direct: +1-408-916-9890
Self Service Password Management Solution
sklepzig 5 Laps

Greetings,

Thanks for the information. To clarify, using Fix 1 (enabling LDAPS):

  1. I enable LDAPS on my ADSS server
  2. I install the DC cert on my ADSS server

As we have several DCs defined in ADSS, do I install all of them to the ADSS server, or which one(s)?

If this doesn't help, and we choose to uninstall the update, do we just remove it from the ADSS server (which is what I believe your post says), or do we need to remove it from the DCs as well?

Hi,

ADSelfService Plus will communicate only with the first DC which is on top of the Domain Settings list. However, it is recommended to install all the DC cert to ADSelfService Plus server when you have the application configured for site based DC setup to update the password changes.

If you choose to uninstall the Windows security update, then it has to be uninstalled from ADSelfService Plus server and not from the DCs.

Regards,
ADSelfService Plus Team
Toll Free: +1-888-720-9500            
Direct: +1-408-916-9890
Self Service Password Management Solution
a.stone 10 Laps
If I have not applied these Windows updates yet can I still do the patch and fix in "fix 2" to avoid it from breaking when these patches do apply during our next maintenance? Or will that break the way it currently works without the offending Windows patches?
Hi,

Yes, you could still apply the FIX2 as a precaution and it will not break the existing flow of changing passwords.

Regards,
ADSelfService Plus Team
Toll Free: +1-888-720-9500            
Direct: +1-408-916-9890
Self Service Password Management Solution
The password is not actually being changed after applying Fix 2

As far as I can tell I have followed the instructions to the letter for Fix 2. I have upgraded to the latest version, I have downloaded and replaced the 2 .jar files and I have run the PS commands on both the Primary DC and the web server. The web app now allows users to change their password without throwing an error. It even sends an email.

BUT

The password is not actually being changed. Have you seen this before or have I missed a step?

OK editing this as I have fixed it just now and this might be useful to someone else.

Our web server is not domain joined (for security). I had to add the account connecting ADSS+ to the primary Domain Controller the Built-in group "Remote Management Users" on the Domain Controller itself. All worked after that.

Dwight Brookland Formation Lap
I am having this exact issue and I am not seeing those updates installed on the server that I have ADSelfService installed on. Those updates are not installed on any of the Domain Controllers that we have configured within the product. 

Users are getting "Old password is incorrect" or something to that when trying to reset their password after it expiring. If I try to reset it on a non-expired account it does the same thing. 

I have attempted to contact support but its difficult to arrange times give your support hours. Only one of them is installed on my Domain Controllers. 

Please advise as you did not release a 5317 that I see for English. Are there any fixes in that code change? 

Thanks, 
Dwight Brookland
Kevin Formation Lap
Hi All,

Just wanted to share a fix that worked for me. I was having the same issue for a client that has a Server 2008 SP2 domain controller and a server 2012 web server where ADSSP is installed. I had implemented a working portal for them a while back but it was not used until now and of course, this error appears at a time when users need it. Not sure what had changed between Windows and Manage Engine updates but the password change feature no longer worked. To troubleshoot, I checked the logs in C:\ManageEngine\ADSelfService Plus\logs. The serverOut log had indicated the following: 

ChangePasswordError:The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.

I had been battling this issue for almost a week trying all sorts of fixes, including the ones here. In that time, I learned how the password change feature works which I believe is key to understanding where the problem is. So, from the logs, I could see that it was using the Windows Remote Management service to connect to the DC and run a remote powershell command to change the AD pasword. In my case, fix 1 was not feasible/too much work; fix 2 ignored the error and reported a false success notice; for fix 3, it did not apply to me since those updates were not installed. 

Many things can go wrong in the password change process but to resolve this particular issue, you'll need to ensure the Active Directory Powershell Module is installed on your domain controller and that remote management is enabled and permissions correctly set. This should be no problem for Server 2008 R2 and above but if you have 2008 or 2003 DCs, you may need to do a few more things. Not sure if the OP has the same issue but here's the fix that worked for me:

Since Server 2008 does not have the AD powershell module and cannot be installed directly, you'll need a W7/Server 2008 R2 or above machine to create a portable version.

On the W7+ Machine
1. Install .net 3.5 SP1, powershell v2, RSAT (enable AD tools), and W7 SDK (.net tools only)
2. Copy the following to a new folder (say AD-PSModule):
AD Powershell Module: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory (whole folder)
Global Assembly Cache Utility: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\GACUTIL.exe and GACUTIL.EXE.CONFIG
AD Powershell Assembly DLL: Search C: for Microsoft.ActiveDirectory.Management.dll. (Mine was in the C:\Windows\winsxs folder)

Your folder should now have the following structure:
AD-PSModule
>GACUTIL.EXE
>GACUTIL.EXE.CONFIG
>Microsoft.ActiveDirectory.Management.dll
>ActiveDirectory
>>ActiveDirectory.Format.ps1xml
>>ActiveDirectory.psd1
>>etc...

3. Zip to make semi-portable :)

On the Destination Machine/Server
0. Copy/Extract AD-PSModule folder to the destination machine
1. Install at least .net 3.5 SP1 and Powershell v2
1B. For Server 2008 SP2 only: Install KB969166 and KB968934 (in that order) to be able to manage the server remotely (reboot after each hotfix)
2. Copy the ActiveDirectory folder to: C:\Windows\System32\WindowsPowerShell\v1.0\Modules
3. Open cmd as Administrator
4. CD to the AD-PSModule folder
5. Enter the following command:
GACUTIL.EXE -i Microsoft.ActiveDirectory.Management.dll
6. AD-Powershell Module install is complete. To test, open Powershell as admin and enter the following. It should no longer report issues 

Import-Module ActiveDirectory

Notes
- If remote management still doesn't work, try re-registering powershell session info by entering the following in PS as admin from the remote server:
Register-PSSessionConfiguration -Name Microsoft.PowerShell
- Also, both servers must trust each other for remote management. Follow Fix 2, step i and ii to enable the trust (do not apply the manageengine patch)
- Links to KB969166: (x86) | (x64)

Credits/References:


Matt Hamlin 5 Laps
Patching our instance to build 5318 worked, but I had to add all of our domain controllers to the list in domain settings.  Previously only our primary domain controller was in the list.  Support was very helpful!