MS16-101 Prevents SharePoint From Changing Managed Account Passwords

MS16-101 is a security update that prevents protocol fallback (Kerberos to NTLM) from taking place to change account passwords.

This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.

Currently, the ability to change the passwords of disabled or locked-out accounts is supported only by NTLM. It is not supported by the Kerberos protocol. This security update prevents the Negotiate process from falling back to NTLM for password change operations when Kerberos authentication fails. Therefore, you will no longer be able to change the password for disabled or locked-out accounts after you install this security update. It is not secure to change disabled or locked-out user account passwords by using NTLM. This is why the ability of Negotiate to fall back to NTLM is disabled by this security update.

It is no longer possible to use the option ‘Set account password to a new value’ or ‘Generate new password’ for a Managed Account in SharePoint 2013 or 2016; SharePoint 2010 is also likely impacted, although I’ve not seen any reports, but the same API is used to change passwords. If you have MS16-101 installed on your Domain Controller(s) and/or SharePoint server(s), when you attempt to set a Managed Account’s password or have SharePoint generate a random password, you will see the following error in Central Administration:

SetPasswordError

In the ULS log, you’ll see a similar error:

The underlying real error is 1265, or ERROR_DOWNGRADE_DETECTED. Nothing too useful appears in network traces on the SharePoint server or Domain Controller, but based on the KB articles note, it is clear that SharePoint is using NTLM to attempt to change the password in Active Directory.

There are one of two solutions:

If you rely on automatic password change, or specifying a password to have SharePoint change it in Active Directory, uninstall KB3177108 (Windows Server 2012/Windows Server 2012 R2) and KB3167679 (Windows Server 2008 and Windows Server 2012 R2) from your Domain Controllers and SharePoint servers.

If you reset passwords in Active Directory (ADUC, PowerShell, etc.), and use the ‘Use existing password’ option, no changes need to be made as SharePoint only contacts the Domain Controller to validate the password.

8 Comments

  1. Hi Trevor,

    Thank you for this article. I am also facing this issue. we can not uninstall the (KB3177108 (Windows Server 2012/Windows Server 2012 R2) form our servers?

    is there are any other way to overcome this issue? or any other KB released by MS to resolve this issue.

    Thanks
    Vikas

  2. You can use the workaround described in the section “known issues 6” of this KB article https://support.microsoft.com/en-us/kb/3177108 . Adding registry key NegoAllowNtlmPwdChangeFallback and settting it to 1 on the SharePoint server that hosts the Central Administration or where you are doing PS resolved the issue for me, but it is clearly not recommended. Good luck !

  3. I am having this issue and was looking into your blogs to find the solution. Finally found it :). Thanks Trevor, you rock!

  4. FYI: this problem has been resolved with November 2016 CU for SharePoint 2013 and 2016.

  5. HI Stefan, How about SP2010 ?

  6. Pingback: Planning and Administering SharePoint 2016 – Jeromy Kelley

Leave a Reply