locked
KB3167679 breaks password changing on Windows 2008 R2 Servers RRS feed

  • Question

  • Hi Team,

    we are faced password changing issue on our 2008 R2 Server, Please find the below Error.

    "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

    we are uninstalled the patch KB3167679 issue was resolved,but patch will install automatically.

    the thing is that  there is any hotfix for this issue.

    Kindly help on this issue.

    Regards

    Vajram Gajengi

    Tuesday, August 30, 2016 4:53 PM

All replies

  • Hi,

    Thanks for your post.

    There is a discussion of this issue, please see as below:

    KB3167679 breaks password changing on Win7 joined in NT style domain (samba 3.6.23)

    https://social.technet.microsoft.com/Forums/en-US/6ae0b2d5-da14-4a63-8175-5e7f889b2adf/kb3167679-breaks-password-changing-on-win7-joined-in-nt-style-domain-samba-3623?forum=w7itpronetworking

    More information about this patch:

    MS16-101: Security update for Windows authentication methods: August 9, 2016

    https://support.microsoft.com/en-us/kb/3178465

    Known issues in this security update

    • This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations. 

      Currently, the ability to change the passwords of disabled or locked-out accounts is supported only by NTLM. It is not supported by the Kerberos protocol. This security update prevents the Negotiate process from falling back to NTLM for password change operations when Kerberos authentication fails. Therefore, you will no longer be able to change the password for disabled or locked-out accounts after you install this security update. It is not secure to change disabled or locked-out user account passwords by using NTLM. This is why the ability of Negotiate to fall back to NTLM is disabled by this security update.

      Note Even though you can no longer change the password for disabled or locked accounts, you can set the password by using Active Directory-based tools.

    To prevent installing specific update:

    Windows Update does have a mechanism to block specific updates. The answer is revealed after right-clicking an update that should not be installed on the system, and that the user does not want to receive notifications about.

    A right-click, and the selection of Hide Update, unchecks the update in the updating software, and changes the color of the update's name to a lighter gray.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 31, 2016 5:21 AM
  • Thanks Alvin Wang.

    is there any hotfix released from Microsoft,  can you suggest any better solution.

    Regards

    Vajram Gajengi


    Wednesday, August 31, 2016 11:38 AM
  • Hi,

    I am sorry that currently no hotfix has been released to deal with this known issue, we recommend you wait for the next security patch.

    Thanks for your understanding and sorry for the inconvenience.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 1, 2016 8:16 AM
  • HI Alvin,

    Thanks for the quick response.

    Please update us if any hotfix release from Microsoft.

    Regards

    Vajram Gajengi

    Friday, September 2, 2016 4:26 PM
  • Hi Vajram,

    OK, I will keep you posted if there is any hotfix released.

    Thanks for your understanding and patience.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 5, 2016 1:52 AM
  • Hi Alvin,

    We have removed 3167679 patch and blocked, after that users able to password change from CTRL+ALT+DEL option.

    After 15 days we are updated with latest patches on few servers, now users unable to change password who is logged on the updated servers.

    we have noticed there is no 3167679 patch installed on that servers and there was installed 15 new patches so unable to find which one is creating the issue.

    Please help on the same.

    Regards

    Vajram Gajengi

    Monday, October 3, 2016 4:50 PM
  • Hey,


    KB3175024 and KB3172605 from september are causing the same issue.

    How do you manage to disable (hide) updates if you got many Windows clients ?

    I'm using PSWindowsUpdate but the command

    Hide-WUUpdate -KBArticleID "3167679" -MicrosoftUpdate -confirm:$false

    just not doing anything on this update (but works well on others KB).

    Thanks




    Tuesday, October 4, 2016 1:14 PM
  • Dear JechtPurgateur,

    I was removed mentioned KB3175024 and KB3172605 from one server facing same issue and manage hide selected update.

    Thanks for PS script.

    Regards

    Vajram Gajengi

    • Edited by vajram Tuesday, October 4, 2016 4:32 PM
    Tuesday, October 4, 2016 4:30 PM
  • My pleasure.

    By the way, can you tell me if the powershell line works for you with the KB3167679 please ?

    Regards

    Wednesday, October 5, 2016 8:41 AM
  • Hello,

    We noticed that our ability to change local user passwords through an asp webpage started to fail recently.  We eventually identified this update (MS16-101) as the culprit.  We can roll the update back for a temporary fix but this is not secure.  We were wondering if Microsoft plans to provide an alternative fix in the future that would continues to give us a way to allow users to change AD password via an asp page.

    If no fix is planned, could you give some recommendations on how to provide this functionality.

    Thanks,

    DM

    Friday, October 7, 2016 2:43 PM
  • Hello,

    How do you manage to remove the update on the client desktop please ?

    I don't get how the whole word is doing. If you have 1k5 pcs to downgrade you won't use GUI !

    Thx

    Monday, October 10, 2016 8:46 AM
  • Did anyone get a resolution to this problem?

    Jeff

    Thursday, January 12, 2017 8:59 AM