none
RDP Message: You must change your password before logging on the first time. Please update your password or contact ... RRS feed

  • Question

  • Hi,
    I tried to connect from a Windows 2012 R2 server via RDP to a Windows 2012 R2 server.
    From same subnet and also from a differend subnet.
    My user account on the seconds server was set to: "User must change password at next logon"
    Every time I try to connect I get the error message: "You must change your password before logging on the first time. Please update your password or contact you system administrator or technical support"
    If I remove "User must change password at next logon" I can connect without any issue.

    I found several posts online, which discribes the same behavior.
    So I went on the destination PC to Control Panel -> System -> Remote and Disabled "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)" and tried to connect again.
    Again it fails.
    Now i saved the RDP connection on the source-pc to disk and opend the *.rdp file with notepad.
    I added at the end:
    enablecredsspsupport:i:0
    and now it was possible to connect.

    Why is it not possible to change my password on the destination PC when NLA is activated???
    And also why do I have to modify the *.rdp file in Windows Server 2012 R2 Clients?

    Here are some tests with Windows 2012 R2 and Windows Server 2008 R2.

    Source			RDP-Client			Destination			Security		Change password possible?
    Windows Server 2008 R2	 				Windows Server 2012 R2		NLA active		no
    Windows Server 2012 R2	 				Windows Server 2012 R2		NLA active		no
    Windows Server 2008 R2	 				Windows Server 2012 R2		NLA disabled		yes
    Windows Server 2012 R2	 				Windows Server 2012 R2		NLA disabled		no
    Windows Server 2008 R2	enablecredsspsupport:i:0	Windows Server 2012 R2		NLA disabled		yes
    Windows Server 2012 R2	enablecredsspsupport:i:0	Windows Server 2012 R2		NLA disabled		yes

    Thank you + Best regards
    Stefan


    Thursday, February 4, 2016 10:20 AM

All replies

  • Hi,

    Adding “enablecredsspsupport:i:0” to *.rdp file is used to disable “Credential Security Support Provider”(CredSSP) in the RDP client. This disables Network Layer Authentication, the pre-RPD-connection authentication, and therefore enables you to change your password via RDP.

    CredSSP is the underlying technology that enables NLA, and it does not support password changes. Therefore, password changes are not enabled in MSTSC. Other RD clients that support NLA should be unable to change the user’s password.

    Below articles have provide detail explanation about a similar problem:
    https://support.microsoft.com/en-us/kb/2648402

    https://support.microsoft.com/en-us/kb/2648397

    https://blogs.msdn.microsoft.com/rds/2014/06/04/failed-logons-due-to-expired-passwords-password-change-functionality-in-rd-web-access/

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, February 5, 2016 7:42 AM
    Moderator
  • Hi,
    thank you for your feedback, i hoped you have better message for us...
    This is really sad... that it is not possible.
    Our DMZ contains out of around 300 workgroup servers and we were really interested in using NLA....

    But what i don't unterstand.... when i disable NLA on the destination server, why must I disable also on the source pc the CredSS? And why only on 2012 R2, and not on 2008R2?

    Best regards
    Stefan

    Tuesday, February 16, 2016 4:38 PM
  • Hi,

    We face the same issue, do you any good idea to fix it? Thanks.

    Best Regards,
    Xibin Zhang

    Tuesday, December 5, 2017 3:51 AM