tags:

views:

1167

answers:

1
+2  Q: 

Strange issue with System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity

We're writing a system that allows a user to change their account password through a web application on our intranet.

At first, everything appeared to be running smoothly. During development passwords for our test accounts could be changed with no problem.

When we made the system live, however, we started running into issues. Here are the symptoms:

  1. At first, everything is fine. Users can change their passwords.
  2. At some point, the following error occurs in UserPrincipal.FindByIdentity: "System.Runtime.InteropServices.COMException: The authentication mechanism is unknown. "
  3. From then on, trying to change a password through the web application results in the error: "System.Runtime.InteropServices.COMException: The server is not operational. "
  4. If I manually recycle the app pool, everything seems to fix itself until more errors begin happening... i.e., the process starts all over again at phase 1.

Here's the relevant snippet of code:

    private static PrincipalContext CreateManagementContext() {
  return new PrincipalContext(
   ContextType.Domain, 
   ActiveDirectoryDomain, 
   ActiveDirectoryManagementAccountName,
   ActiveDirectoryManagementAccountPassword);
 }


 private static void ChangeActiveDirectoryPasword(string username, string password) {
  if (username == null) throw new ArgumentNullException("username");
  if (password == null) throw new ArgumentNullException("password");

  using (var context = CreateManagementContext())
  using (var user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username)) {
   user.SetPassword(password);
  }
 }

Any clues as to why this is happening? Google searches aren't turning up anything really helpful, and neither are the docs on MSDN.

+3  A: 

Hello Nick,

First thing I notice is that you are using UserPrincipal.FindByIdentity which is inherited from AuthenticablePrincipal which is inherited from Principal. I say all this because the Principal class has a known memory leak in the FindByIdentity. If you have a look at this MSDN entry, you will notice at the bottom that Gary Caldwell from Microsoft said the following:

This call has an unmanaged memory leak because the underlying implemenation uses DirectorySearcher and SearchResultsCollection but does not call dispose on the SearchResultsCollection as the document describes.

I would guess that this is your issue. The memory leak causes the Application Pool to fill up and finally cause errors, until the Application Pool is reset and the memory is disposed.

When we use any active directory functions, we use the following to accomplish setting of the user's password: 

Public Shared Function GetUserAccount(ByVal username As String) As DirectoryEntry
    Dim rootPath As String = GetRootPath()
 Using objRootEntry As New DirectoryEntry(rootPath)
  Using objAdSearcher As New DirectorySearcher(objRootEntry)
   objAdSearcher.Filter = "(&(objectClass=user)(samAccountName=" & username & "))"
   Dim objResult As SearchResult = objAdSearcher.FindOne()
   If objResult IsNot Nothing Then Return objResult.GetDirectoryEntry()
  End Using
 End Using
 Return Nothing
End Function

Public Shared Sub SetPassword(ByVal username As String, ByVal newPassword As String)
 Using objUser As DirectoryEntry = GetUserAccount(username)
  If objUser Is Nothing Then Throw New UserNotFoundException(username)
  Try
   objUser.Invoke("SetPassword", newPassword)
   objUser.CommitChanges()
  Catch ex As Exception
   Throw New Exception("Could not change password for " & username & ".", ex)
  End Try
 End Using
End Sub

Also, if you're wanting the users to change the passwords directly and you don't want to rely on their honesty, you might want to consider using the ChangePassword function of LDAP like this: 

Public Shared Sub ChangePassword(ByVal username As String, ByVal oldPassword As String, ByVal newPassword As String)
 Using objUser As DirectoryEntry = GetUserAccount(username)
  If objUser Is Nothing Then Throw New UserNotFoundException(username)
  Try
   objUser.Invoke("ChangePassword", oldPassword, newPassword)
   objUser.CommitChanges()
  Catch ex As TargetInvocationException
   Throw New Exception("Could not change password for " & username & ".", ex)
  End Try
 End Using
End Sub

This forces the user to know the prior password before changing to the new one.

I hope this helps,

Thanks!

Scott  2009-12-10 23:28:52
Definitely helps. We've installed a hotfix which supposedly addresses some (but not all) of the issues with FindByIdentity, and are testing our code now.While we would prefer to use the ChangePassword method, we unfortunately have some funkiness in our domain that's enforcing password rules that we don't want. SetPassword bypasses those rules.If our current attempts to fix the existing code don't work, the next step will be to rewrite it using System.DirectoryServices directly (no AccountManagement stuff), as you demonstrated.
Nick Aceves  2009-12-11 01:23:45
Nick, when I implement your above mentioned method of doing this, it seems that it also checks the domain user account password policies. I would assume this is how it would work because under the hood, it uses the same methods. Also, looking at this MSDN article: http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.authenticableprincipal.setpassword.aspx you see that SetPassword can generate a `PasswordException`. It also states that it throws this if the new password does not meet password complexity requirements. Hope this helps!
Scott  2009-12-11 15:51:13
Under the hood, ChangePassword is calling DirectoryEntry.Invoke("ChangePassword", password). SetPassword is calling DirectoryEntry.Invoke("SetPassword", password).Our policies are being enforced when using ChangePassword (things like not allowing past passwords to be reused). They are not enforced with SetPassword. With SetPassword, I can set anyone's account password to whatever I please if I have the correct permissions. If you look here: http://forums.asp.net/p/1488874/3493645.aspx you will notice that someone else has also discovered this.The MSDN docs are misleading on this.
Nick Aceves  2009-12-11 21:23:41
Nick - is this the hot fix you are referring to?http://code.msdn.microsoft.com/KB969166/Release/ProjectReleases.aspx?ReleaseId=3176 - Jeff
jlo  2010-01-29 13:47:54

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?