When users are attempting to reset their passwords via "Manage My Password" action, the following error is shown to the user:
The following error is also logged in the Password Manager event log on the Password Manager server:
"The system cannot contact a domain controller to service the authentication request. Please try again later. (Exception from HRESULT:0x0800704f1)' with system <>"
The issue is caused by recent Microsoft Windows Security updates on or about 8/11/2016:
These updates changed the functionality of Kerberos and NTLM fallback when performing a change password action. The update disables the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.
As noted in Microsoft KB3167679:
Known issue 3
We know about an issue in which programmatic resets of local user account password changes may fail and return the STATUS_DOWNGRADE_DETECTED (0x800704F1) error code.
The following table shows the full error mapping.
|0x4f1||1265||ERROR_DOWNGRADE_DETECTED||The system cannot contact a domain controller to service the authentication request. Please try again later.|
The root cause of this issue is understood. We plan to release a fix that resolves this issue in October 2016. This release date is subject to change. This article will be updated with additional details as they become available.
Please refer to the Microsoft KBs for further detail:
In some environments the following Windows Security updates may cause an issue:
This hotfix has now been replaced in KB 214947.
NOTE: Though hotfix 214947 replaces hotfix 211826, it is not necessary to uninstall hotfix 211826. You may do so at your own discretion.