5

I'm using federated identity for Office-365 single sign-on. I have added the password change endpoint to my ADFS 3.0 server, and successfully opened the adfs update password page. However, whenever I try to update the password I get the error above. I made sure of the following:

1- I made my password too complex, containing capital, small, number and non-alphanumeric character
2- I waited for 1 hour as I found that the minimum age for the password is 1 hour in the ADSI Editor

I opened Group Policy Management--> expanded my domain name --> Domain Controllers --> Default Domain Controllers Policy --> Right-Click Edit --> navigated to Password Policy. I found that all the Policy settings are set to "Not Defined".

I opened my ADFS server and opened Local Group Policy Editor --> navigated to Password Policy and the settings are as follows: enter image description here

I made sure that my password complies with these settings:

When this policy setting is enabled, users must create strong passwords to meet the following minimum requirements:

Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters.

Passwords must be at least six characters in length.

Passwords must contain characters from three of the following four categories:

English uppercase characters (A through Z).

English lowercase characters (a through z).

Non-alphabetic characters (for example, !, $, #, %).

What could be wrong that I can't update the password through the ADFS password change page?

user3340627
  • 131
  • 1
  • 2
  • 8
  • Can you change the password to your requested password via a domain joined, on network system? That will isolate it to either the password or adfs. – Jim B Feb 01 '16 at 16:04
  • 2
    You can run RSOP.MSC to determine the name of the policy controlling passwords. After it runs, navigate to Computer/Windows/Security Settings /Account Policies/Password Policy. You may find it resides in "Default Domain Policy" instead of "Default Domain Controllers Policy". This could be more complex if you are using "Fine Granined Password" policies? – Clayton Feb 01 '16 at 21:23
  • Please bear with me as I don't have any previous experience in this. @JimB My attempt to change the password via ADFS page was while being connected to VPN. But I can reset the user password from the "Active Directory Users and Computers", and I can update it to the same exact password that doesn't work through ADFS page. – user3340627 Feb 03 '16 at 15:57
  • @Craig620 I ran this on one of the computers in the network and the password policy settings are "Not Defined". I tried adding a new Group Policy for the specific OU i'm working on and set the Password Policy for it, then I right clicked on the OU --> All Tasks --> Resultant set of Policy and then navigated to the Password policy but still it was shown as "Not Defined" – user3340627 Feb 03 '16 at 16:01
  • Settings from newly created/linked GPO's will not be applied until the machine updates policy (default once per 90 min). You can manually update with "GPUpdate /Target:Computer". However, your response to @JimB indicates this problem is probably not related to domain password policy and is most likely caused by something within ADFS. – Clayton Feb 03 '16 at 16:32

3 Answers3

2

Although I change the minimum password age in the password policy but I still had to change the minimum password age to 0:00:00 in the ADSI Editor for the DC i'm in.

@JimB and @Craig620, your help is greatly appreciated.

user3340627
  • 131
  • 1
  • 2
  • 8
2

Domain controllers ignore password, lockout, or Kerberos policy settings defined at an organizational unit, such as the Domain Controllers OU.

You should define legacy password policies in the Default Domain Policy or another top-level GPO.

As a test I created password policy settings in both the Default Domain Policy and Default Domain Controllers Policy. See the Winning GPO:

enter image description here

Reference:

https://technet.microsoft.com/en-us/library/cc756064%28v=ws.10%29.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
-2

Today i faced the same problem, by following all the above experts suggestions and my R&D I prepared following document. Please go through below for cause and resolution.

Unable to update the password the value provided

vijay
  • 1
  • 1
    Welcome to Server Fault! Your answer currently does not seem to provide a workable solution to the question and might be more appropriate as a question. Please read [How do I write a good answer?](http://serverfault.com/help/how-to-answer) and [How do I ask a good question?](http://serverfault.com/help/how-to-ask) Note that documentation review may be outside the scope of Server Fault. And don't forget to take the [site tour](http://serverfault.com/tour). – Paul Jul 09 '16 at 15:21
  • 1
    Welcome to Server Fault! Whilst this may theoretically answer the question, please [provide context around links](http://serverfault.com/help/how-to-answer) so others will have some idea what it is and why it’s there. If possible summarise or quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline. – HBruijn Jul 09 '16 at 15:41