Users are unable to change password in Password Manager (211826)

When users are attempting to reset their passwords via "Manage My Password" action, the following error is shown to the user:

The following error is also logged in the Password Manager event log on the Password Manager server:

"The system cannot contact a domain controller to service the authentication request.  Please try again later. (Exception from HRESULT:0x0800704f1)' with system <>"

The issue is caused by recent Microsoft Windows Security updates on or about 8/11/2016:

KB3167679
KB3177108

These updates changed the functionality of Kerberos and NTLM fallback when performing a change password action. The update disables the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.

As noted in Microsoft KB3167679:

Known issue 3

We know about an issue in which programmatic resets of local user account password changes may fail and return the STATUS_DOWNGRADE_DETECTED (0x800704F1) error code. 

The following table shows the full error mapping. 

Status
The root cause of this issue is understood. We plan to release a fix that resolves this issue in October 2016. This release date is subject to change. This article will be updated with additional details as they become available. 

Please refer to the Microsoft KBs for further detail:

https://support.microsoft.com/en-us/kb/3167679

https://support.microsoft.com/en-us/kb/3177108

In some environments the following Windows Security updates may cause an issue:

KB3172605
KB3175443
KB3177725
KB3178034
KB3187754
KB3185911
KB3185319
KB3184122
KB3177186
KB3175024
KB3174644

STATUS:

This hotfix has now been replaced in KB 214947.

NOTE: Though hotfix 214947 replaces hotfix 211826, it is not necessary to uninstall hotfix 211826. You may do so at your own discretion.