none
80070005 on using IADsUser ChangePassword Function

    Question

  • When i am using IADsUser ChangePassword function to change password for domain user in c++, i got 80070005 hr error code. On referring google, it is access denied error. product is in dmz environment(not in domain joined, firewalls applied). I tried change password for same user in target DC from powershell with Set-ADAccountPassword -Server server -Credential Domain\user, it works. Native change password works fine (ctrl + alt + Delete). Is this because of any port block by firewall or it something else.? 

    And how to install Active Directory web services to use powershell in dmz machine to check for issue?


    Tuesday, January 12, 2016 1:18 PM

Answers

  • > When i am using IADsUser ChangePassword function to change password for
    > domain user in c++,
     
    How do you connect? If not over a secure channel, you MUST use LDAPS/636.
     
     
    Tuesday, January 12, 2016 2:35 PM
  • Hi,

    Below is a list of the ports need to be opened up when configuring AD Connect in the DMZ, for your reference:

    • TCP/UDP 389/636/3268/3269 - Server ports for the Lightweight Directory Access Protocol (LDAP). LDAP is used by AD Connect to access the Windows Active Directory on the Domain Controller (when in-network or Windows Authentication is used). Also used for mobile authentication.
    • UDP 138 - NetBIOS name resolution
    • TCP/UDP 445 - SAM/LSA
    • UDP 123 - NTP W32 Time
    • TCP/UDP 135 - RPC Endpoint Mapper (additionally a dynamic range of ports need to open) Ie; For Windows 2008+; 49152 through 65535
    • UDP 137 - Netbios Datagram
    • TCP/UDP 88 - This port belongs exclusively to Kerberos. AD Connect uses Port 88 for off-network access when performing a Single Sign-On event outside of the corporate network.
    • TCP/UDP 464 - This server port is also used by Kerberos for Change / Set Password. It appears to be necessary for joining the Web Server to the Windows Domain.
    • TCP/UDP 53 - DNS Service runs on this port. It’s typically used to convert between URL's and IP Addresses. It is also needed to join the Windows Domain.

    Article for your reference:

    Active Directory and Active Directory Domain Services Port Requirements

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    Additional information from MSDN:

    Windows services ports: http://support.microsoft.com/kb/179442#method3

    RPC ports: http://support.microsoft.com/kb/832017#method39

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, January 14, 2016 2:43 AM
    Moderator

All replies

  • > When i am using IADsUser ChangePassword function to change password for
    > domain user in c++,
     
    How do you connect? If not over a secure channel, you MUST use LDAPS/636.
     
     
    Tuesday, January 12, 2016 2:35 PM
  • Hi,

    Below is a list of the ports need to be opened up when configuring AD Connect in the DMZ, for your reference:

    • TCP/UDP 389/636/3268/3269 - Server ports for the Lightweight Directory Access Protocol (LDAP). LDAP is used by AD Connect to access the Windows Active Directory on the Domain Controller (when in-network or Windows Authentication is used). Also used for mobile authentication.
    • UDP 138 - NetBIOS name resolution
    • TCP/UDP 445 - SAM/LSA
    • UDP 123 - NTP W32 Time
    • TCP/UDP 135 - RPC Endpoint Mapper (additionally a dynamic range of ports need to open) Ie; For Windows 2008+; 49152 through 65535
    • UDP 137 - Netbios Datagram
    • TCP/UDP 88 - This port belongs exclusively to Kerberos. AD Connect uses Port 88 for off-network access when performing a Single Sign-On event outside of the corporate network.
    • TCP/UDP 464 - This server port is also used by Kerberos for Change / Set Password. It appears to be necessary for joining the Web Server to the Windows Domain.
    • TCP/UDP 53 - DNS Service runs on this port. It’s typically used to convert between URL's and IP Addresses. It is also needed to join the Windows Domain.

    Article for your reference:

    Active Directory and Active Directory Domain Services Port Requirements

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    Additional information from MSDN:

    Windows services ports: http://support.microsoft.com/kb/179442#method3

    RPC ports: http://support.microsoft.com/kb/832017#method39

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, January 14, 2016 2:43 AM
    Moderator
  • Is there any way to check whether channel is secure or not? Adding point to question.

    If i enable User Must Change Password on next logon, it is working fine in dmz environment.  

    And when i execute IADsUser->ChangePassword from any domain joined machine for same user it is working fine.

    Thursday, February 04, 2016 6:18 PM
  • Hi,

    Regarding the additional question, please open some new posts in our forum so that you would get more efficient support. Thanks for your understanding.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 05, 2016 9:36 AM
    Moderator