search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.32k stars 4.74k forks source link

System.DirectoryServices.AccountManagement.SetPassword throws incorrect exceptions #24072

Open binarypatrick opened 7 years ago

binarypatrick commented 7 years ago

When using System.DirectoryServices.AccountManagement 4.5.0-preview1-25906-03, both SetPassword and ChangePassword throw PrincipalOperationException when the password does not meet complexity requirements in AD. Both methods have documentation stating they should throw System.DirectoryServices.AccountManagement.PasswordException instead.

This error seems to appear for most issues, including invalid AD permission to perform a password reset.

{System.DirectoryServices.AccountManagement.PrincipalOperationException: The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1) ---> System.Runtime.InteropServices.COMException: The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)\r\n --- End of inner exception stack trace ---

I have verified both methods work when I use a password that does meet complexity and history requirements in our AD environment.

I was hoping for a more precise error message to report to the user when their password change attempt fails. Is this a known issue, or something to be fixed for .net core 2.1.0?

karelz commented 7 years ago

@BinaryPatrick what is the behavior on .NET Framework?

binarypatrick commented 7 years ago

It seems to be the same.

System.DirectoryServices.AccountManagement.PrincipalOperationException occurred
  HResult=0x80131501
  Message=The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)
  Source=System.DirectoryServices.AccountManagement
  StackTrace:
   at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.PasswordInfo.ChangePassword(String oldPassword, String newPassword)
   at System.DirectoryServices.AccountManagement.AuthenticablePrincipal.ChangePassword(String oldPassword, String newPassword)
   at ADTest.Program.Main(String[] args) in C:\Users\username\Documents\Visual Studio 2017\Projects\ADTest\ADTest\Program.cs:line 37

Inner Exception 1:
COMException: The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT: 0x800704F1)

But is that the correct and expected exception? Neither seem to fit the documentation.

karelz commented 7 years ago

@tquerec can you please comment?

binarypatrick commented 4 years ago

Any update on this?

danmoseley commented 4 years ago

@tquerec @josephisenhour where is the right place to report an issue with the native API here?