Chat now with support
Chat with Support
Self Service Tools
Knowledge Base
My Account
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Support Essentials
Awards and Testimonials
License Agreement
Support Guide

Password Manager Product Notification

Return
Critical Alerts
One Identity Critical Product Notification - Password Manager 5.5.x - 5.6.x
Problem

After applying recent Microsoft Security Patches for Windows to the Password Manager server, users are no longer able to change their passwords during a "managed my password" operation. The Password Manager server also displays errors within the event viewer. 

How does this affect Password Manager? 

After applying the following Microsoft Security Patches for Windows to Password Manager servers, users are unable to reset their passwords:

KB3167679
KB3172605
KB3175443
KB3177725
KB3178034
KB3177108 

When a user attempts to reset their password via Password Manager, the following error displays on the client computer: 

“Some errors occurred while changing password” 

Also, within the event log of the Password Manager server the following error is displayed: 

“The system cannot contact a domain controller to service the authentication request.  Please try again later. (Exception from HRESULT:0x0800704f1)' with system <>" 

This results in a failed password change. 

The following Microsoft articles can be consulted for more details regarding the Microsoft patches: 

https://support.microsoft.com/en-us/kb/3167679 

https://support.microsoft.com/en-us/kb/3177108 

“This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations. 

Currently, the ability to change the passwords of disabled or locked-out accounts is supported only by NTLM. It is not supported by the Kerberos protocol. This security update prevents the Negotiate process from falling back to NTLM for password change operations when Kerberos authentication fails. Therefore, you will no longer be able to change the password for disabled or locked-out accounts after you install this security update. It is not secure to change disabled or locked-out user account passwords by using NTLM. This is why the ability of Negotiate to fall back to NTLM is disabled by this security update. 

Note Even though you can no longer change the password for disabled or locked accounts, you can set the password by using Active Directory-based tools.”  

Resolution 

To resolve the issues impacting Password Manager, after installing the Microsoft Security patches mentioned in this article, please install the associated Password Manager hotfix for the installed version located here:  

https://support.quest.com/password-manager/kb/211826

Questions or comments 

If you have any questions or comments, please Contact Support. If you have a technical issue, please log a Service Request. Please do not respond directly to this email notification.

You can manage your Product Notifications or email our Support Administrator to unsubscribe from all future notifications.

Thank You,
One Identity