Error setting password -- "Unable to set the User's password. The specified network password is not correct."

  • 7017608
  • 16-May-2016
  • 16-Apr-2020

Environment

NetIQ Directory and Resource Administrator 8.7.x

NetIQ Directory and Resource Administrator 9.x

NetIQ Directory and Resource Administrator 10.0.x

Microsoft Windows Sever 2012 and newer

Situation

  1. NetIQ Directory and Resource Administrator (DRA) is configured to manage at least one
  2. Microsoft Active Directory (AD) Domain with 2012 or newer domain controllers.
  3. The Microsoft Windows Sever OS hosting DRA Server is at least Windows 2012.
  4. The managed domain's properties in DRA indicate the Domain Access Account is configured with the option 'use the Directory Resource Administrator Service Account'.
  5. When attempting to reset a user's AD password, or create a new AD user an error occurs.
    • The error text indicates: "Unable to set the User's password. The specified network password is not correct."

Resolution


  1. Configure the Domain Access account to be a specific account name.
    • This account name can be the exact same name as the AD account running the NetIQ Administration Service
  2. Issue a machine level SSL certificate to the Windows OS used to host DRA Server
    • The certificate authority used to issue the certificate must be trusted by both the DRA Server OS and the Domain Controller OS
    • After the certificate is issued to the DRA Server OS, the DRA Services will need to be restarted on the DRA Server.
  3. Restart the NetIQ Administration Service
    • This option will restore the functionality for about 12 hrs.
      • After 12 hrs the default certificate will expire

Cause

As of Windows 2012 and newer Microsoft requires an encrypted connection, using Secure LDAP (LDAP-S) between the client and domain controller. Currently the connection between the DRA Server and the Domain Controller(s) is using basic LDAP. When DRA is configured to use a specific account to access an AD domain, the service must open a new connection to the domain each time there is a request. This new connection creates a new default certificate.

Microsoft Directory Services can be configured to disable the requirement to rest passwords over secure LDAP:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732352(v=ws.11)