none
DirectoryServices, ChangePassword: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) RRS feed

  • Question

  • I've got a problem with a Web app allowing users to change their domain password.
    The code which fails is part of a method of a WCF service hosted in IIS, using Windows integrated security.
    The code there looks like this:

      System.Security.Principal.WindowsIdentity userIdentity = null:
      userIdentity = ServiceSecurityContext.Current.WindowsIdentity;
      using (System.Web.Hosting.HostingEnvironment.Impersonate())
      {
        PrincipalContext pc = null;
        pc = new PrincipalContext(ContextType.Domain);
        UserPrincipal up = UserPrincipal.FindByIdentity(pc, userIdentity.Name);
        up.ChangePassword(oldPwd, newPwd);
      }


    It fails at the last line (up.ChangePassword) with an E_ACCESSDENIED error.
    No matter what priviledges the current user has. Even running the app as an domain administrator fails with the same error.

    To narrow the problem I created a small Win-Forms app with allmost the same code:

      PrincipalContext pc = null;

      pc = new PrincipalContext(ContextType.Domain);

      UserPrincipal up = UserPrincipal.FindByIdentity(pc, userName);

      up.ChangePassword(oldPwd, newPwd);


    Giving the username and pwds from the user input.

    Running this app gives the same access denied error:

    System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
       --- End of inner exception stack trace ---
       at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
       at System.DirectoryServices.AccountManagement.SDSUtils.ChangePassword(DirectoryEntry de, String oldPassword, String newPassword)
       at System.DirectoryServices.AccountManagement.ADStoreCtx.ChangePassword(AuthenticablePrincipal p, String oldPassword, String newPassword)
       at System.DirectoryServices.AccountManagement.PasswordInfo.ChangePassword(String oldPassword, String newPassword)
       at System.DirectoryServices.AccountManagement.AuthenticablePrincipal.ChangePassword(String oldPassword, String newPassword)
       at SetPassword.Program.ChangeUserPassword(String userName, String oldPwd, String newPwd)

    No matter what elevation (highest available, administrator) the app is running in.

    Any help or guidance is very appreciated! Thanks.


    • Edited by Joe Beer Wednesday, December 19, 2012 9:47 AM added exception stack trace
    Wednesday, December 19, 2012 9:23 AM

Answers

  • I guess I can answer it myself...:
    Instead of using
    up.ChangePassword(oldPwd, newPwd);
    I should use
    up.SetPassword(newPwd);
    Since the current windows identity, in case of the WCF service the impersonnated app pool identity, acts on the user principal, but is not the identity of this user.

    At least the test Win-Forms app worked with the usage of SetPassword.

    • Proposed as answer by Adavesh Wednesday, December 19, 2012 5:16 PM
    • Marked as answer by Mike FengModerator Thursday, December 20, 2012 3:27 AM
    Wednesday, December 19, 2012 5:15 PM

All replies

  • I guess I can answer it myself...:
    Instead of using
    up.ChangePassword(oldPwd, newPwd);
    I should use
    up.SetPassword(newPwd);
    Since the current windows identity, in case of the WCF service the impersonnated app pool identity, acts on the user principal, but is not the identity of this user.

    At least the test Win-Forms app worked with the usage of SetPassword.

    • Proposed as answer by Adavesh Wednesday, December 19, 2012 5:16 PM
    • Marked as answer by Mike FengModerator Thursday, December 20, 2012 3:27 AM
    Wednesday, December 19, 2012 5:15 PM
  • Hi Joe,

    Thank you for sharing your solution here.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, December 20, 2012 3:27 AM
    Moderator
  • Did you have this problem fixed?

    Vejee

    Tuesday, February 12, 2013 7:25 PM