MS16-137: Description of the security update for Windows authentication methods: November 8, 2016

Important

• If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you require before you install this update. For more information, see Add language packs to Windows.

Known issues in this security update

User-initiated and programmatic password changes to domain user accounts may fail if the same user account is logged on to more than one computer at the same time and is used to make password changes to the same user account from two or more computers. Such password changes fail only if NTLM is used. 

Specifically, the following errors are returned: 

Example scenario

1. A domain user logs on to computer A and computer B.
2. The user changes their domain password from computer A without logging off computer B.
3. The domain user tries to change their password from computer B. 

In this scenario, the password change attempt from computer B may fail with the following error message:


If the password change is performed programmatically, you may receive either an ERROR_DOWNGRADE_DETECTED or a STATUS_DOWNGRADE_DETECTED error status. This behavior occurs when the NTLM authentication package is used for the password change for domain accounts if Kerberos fails to find a domain controller and then falls back to NTLM. In this scenario, NTLM fallback was disabled by MS16-101 and was re-enabled by MS16-137-related updates.


Calling NTLM directly also causes password changes to fail in this scenario. To resolve all domain password change issues, make sure that Kerberos is functional, and also make sure that Kerberos is used for password changes to domain accounts. For more information, see the "Known issue 1" section in KB 3167679 .