"ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator."

[LingTjal]

PassCore Server

• OS: [Windows]

• Provider: [Active Directory]

• Settings file (without sensitive information):
  {
  "Logging": {
  "IncludeScopes": false,
  "LogLevel": {
  "Default": "Debug",
  "System": "Information",
  "Microsoft": "Information"
  }
  },
  "WebSettings": {
  "EnableHttpsRedirect": true
  },
  "AppSettings": {
  // The following options for AD Provider (remove if you don't use this Provider)
  "UseAutomaticContext": true, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
  "RestrictedADGroups": [
  "Administrators",
  "Domain Admins",
  "Enterprise Admins"
  ], // Set the AD groups to restrict the use of PassCore
  "AllowedADGroups": ["Domain Users"], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
  "IdTypeForUser": "UPN", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)
  "UpdateLastPassword": false, // Set true to allow PassCore to update the last password timestamp
  // The following options are for LDAP Provider (remove if you don't use this Provider)
  "LdapSearchBase": "ou=people,dc=example,dc=com",
  "LdapSecureSocketLayer": false, // Default for AD is true when using LDAPS 636
  "LdapStartTls": false, // Default for AD is true when using LDAP 389
  "LdapChangePasswordWithDelAdd": true,
  "LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"
  // General options (valid for both providers)
  "LdapHostnames": [ "" ], // Set your hostname(s)
  "LdapPort": 389, // Default for AD is 389, for LDAPS 636
  "LdapUsername": "", // Set the username or distinguish name (DN) to bind the LDAP server
  "LdapPassword": "", // Set the password for the username
  "DefaultDomain": "" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.
  },
  "ClientSettings": {
  "ValidationRegex": {
  "EmailRegex": "^[a-zA-Z0-9.!#$%&’+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)$",
  "UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
  },
  "UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
  "MinimumDistance": 0, //The minimum distance beetween the old and the new password, this is used to enforce the edit distance using the levenshtein distance algorithm.
  "PasswordEntropy": 16, // the number of bytes of entropy to use for generated passwords
  "ShowPasswordMeter": true,
  "MinimumScore": 0, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
  "Recaptcha": {
  "SiteKey": "", // ReCAPTCHA public key: replace this! or leave empty if you don't need ReCAPTCHA
  "PrivateKey": "", // ReCAPTCHA private key: replace this! or leave empty if you don't need ReCAPTCHA
  "LanguageCode": "en"
  },
  "UseEmail": "true",
  "ApplicationTitle": "Change Account Password | Self-Service Account Management Tools",
  "ChangePasswordTitle": "Change Account Password",
  "ChangePasswordForm": {
  "HelpText": "If you are having trouble with this tool, please contact IT Support",
  "UsernameLabel": "Username",
  "UsernameHelpblock": "Your organization's email address",
  "UsernameDefaultDomainHelperBlock": "Your organization's username",
  "CurrentPasswordLabel": "Current Password",
  "CurrentPasswordHelpblock": "Enter your current password",
  "NewPasswordLabel": "New Password",
  "NewPasswordHelpblock": "Enter a strong password. You can use this tool to help you create one; use the XKCD (random sep, pad digit), or NTLM, options.",
  "NewPasswordVerifyLabel": "Re-enter New Password",
  "NewPasswordVerifyHelpblock": "Enter your new password again",
  "ChangePasswordButtonLabel": "Change Password"
  },
  "ErrorsPasswordForm": {
  "FieldRequired": "This field is required",
  "UsernamePattern": "Please enter a valid username",
  "UsernameEmailPattern": "Please enter a valid email address",
  "PasswordMatch": "Passwords do not match"
  },
  "Alerts": {
  "SuccessAlertTitle": "You have changed your password successfully.",
  "SuccessAlertBody": "Please note it may take a few hours for your new password to reach all domain controllers.",
  "ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator.",
  "ErrorInvalidCredentials": "You need to provide the correct current password.",
  "ErrorInvalidDomain": "You have supplied an invalid domain to logon to.",
  "ErrorInvalidUser": "We could not find your user account.",
  "ErrorCaptcha": "Could not verify you are not a robot.",
  "ErrorFieldRequired": "Fulfill all the fields.",
  "ErrorFieldMismatch": "The passwords do not match.",
  "ErrorComplexPassword": "Failed due to password complex policies: New password length is shorter than AD minimum password length",
  "ErrorConnectionLdap": "Unhandled error connecting to the LDAP server.",
  "ErrorScorePassword": "The password you are trying to set is not secure enough.",
  "ErrorDistancePassword": "The password you are trying to set is not diferent enough of your last password.",
  "ErrorPwnedPassword": "The password you are trying to use is publicly known and can be used in dictionary attacks."
  }
  }
  }

• Log file (without sensitive information):

[Microsoft.AspNetCore.Mvc.IActionResult] Post(Unosquare.PassCore.Web.Models.ChangePasswordModel) on controller Unosquare.PassCore.Web.Controllers.PasswordController (Unosquare.PassCore.Web).

warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]

  Using AutomaticContext

Describe the bug

• Testuser can change password on windows but not via passcore website
• Error: "You are not allowed to change your password. Please contact your system administrator."

To Reproduce
Steps to reproduce the behavior:
Tried setting the "AllowedADGroups" to "domain users" and also tried it default (empty), but none work

Expected behavior
A succesful password change is to be expected, but not working

Desktop (please complete the following information):

• OS: Windows 10, Windows Server 2012R2
• Browser Chrome, Firefox

[fredericfleury]

Hi,

I have the same issue with the same warn message.
No error message in the log file.
I tried to disable the automatic context, but I have an error 0x80005000 (I found that this message is due to the automatic context and the clue to slove the problem is to activate the automatic context).
warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]

  Not using AutomaticContext  xxxxx.yyyyyyyyy:389

warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]

  Unknown error (0x80005000)

I tested the connection between my server and one of my AD server on port 389 : all is fine.
When I changed my username, I had the message : user not found, so for me, the connection between the applicatopn end the server is OK.

I tried to change almost all the options to test, but I can't find something.
If someone has an idea....

Many thanks.

Edit : I changed the debug level from debug to Trace, and this is what I got :

info: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]

  PerformPasswordChange for user test-user

info: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2]

  Executed action method Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web), returned result Microsoft.AspNetCore.Mvc.BadRequestObjectResult in 307.5205ms.

trce: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[2]

  Action Filter: Before executing OnActionExecuted on filter Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter.

trce: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[3]

  Action Filter: After executing OnActionExecuted on filter Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter.

trce: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[3]

  Action Filter: After executing OnActionExecutionAsync on filter Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter.

trce: Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker[4]

  Before executing action result Microsoft.AspNetCore.Mvc.BadRequestObjectResult.

[fredericfleury]

Hello,

nobody has an idea please?
@LingTjal : did you manage to find somenthing please?

Thanks.

[hkml2000]

Hello,

I had the same issue,
solved after setting "RestrictedADGroups": [], //empty brackets

[fredericfleury]

@hkml2000 : Thank you for your solutions.
It solved this problem.
But now, I have a new error message :

fail: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[888]

  ValidateGroups

System.NullReferenceException: Object reference not set to an instance of an object.

at Unosquare.PassCore.PasswordProvider.PasswordChangeProvider.b__7_0(Principal x) in C:\Unosquare\passcore\src\Unosquare.PassCore.PasswordProvider\PasswordChangeProvider.cs:line 175

@edit : solved by adding only one group in restrictedAdGroup

[MisterCubanSandwich]

We fixed this by following the instructions here and setting the minimum password age to 0. It was previously set to 1 in our environment.

[JonathanBosse]

I ran into the same error message this morning when testing passcore for my work environment and found what seems to be a bug.

In the "PasswordChangeProvider", there is a method invoked to validate the groups of the users and at some point it looks for the appsetting "AllowedADGroups". Here is what the code looks like :

return groups?.Any(x => _options.AllowedADGroups?.Contains(x.Name) == true) == true
    ? null
    : new ApiErrorItem(ApiErrorCode.ChangeNotPermitted, "The User principal is not listed as allowed");

The appsetting "AllowedADGroups" documentation says the following :

Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed

However, with the way it is currently written, it appears that if the array is empty, it will return an ApiErrorItem instead. That is because _options.AllowedADGroups?.Contains(x.Name) would return null instead of true when _options.AllowedADGroups is empty.

What I think could fix this issue is by either making it so _options.AllowedADGroups is an empty list rather than null when the corresponding appsetting is empty, or by changing the previous condition to be _options.AllowedADGroups?.Contains(x.Name) != false.

As for me, I did apply the second fix (changing the condition) and I managed to successfully change the password of the AD accounts.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[simonai1254]

Looks like this should still be looked at...

[lfrancfort]

Same error on my AD domain/forest.
I checked password GPO and it' OK
I can change the password using CTRL-ALT-DEL on a domain joined PC.

Log files don't contain interesting information

[MisterCubanSandwich]

Have you tried changing minimum password age to 0?