locked
Can Users Change Expired Passwords via RDP to Windows Server 2012 R2 / Windows 8.1 if NLA is Disabled? RRS feed

  • General discussion

  • Environment: Primarily Windows Server 2012 R2 servers and Windows 8.1 clients, with some older versions of Windows Server and Windows client

    I understand that if a user's password has expired and they attempt to make a remote desktop connection (RDP) to a computer running Windows Server 2012 R2 or Windows 8.1, and if Network Level Authentication is enabled on the remote computer, then the user is not allowed to change their expired password. Instead, they receive this prompt:

    "This user account's password has expired. The password must change in order to logon. Please update the password or contact your system administrator or technical support."

    However, even when Network Level Authentication has been disabled on all computers in our domain, users whose passwords have expired still get the above prompt when connecting via RDP to Windows Server 2012 R2 or Windows 8.1. I do not understand why we still receive this prompt even when NLA is disabled. Older versions of Windows still allow users to change their expired passwords in the RDP logon session.

    I also understand that RD Web Access can be enabled as a workaround for this issue, but I first want to understand why users cannot change their expired passwords even when Network Level Authentication is disabled. Reference: http://blogs.msdn.com/b/rds/archive/2014/06/04/failed-logons-due-to-expired-passwords-password-change-functionality-in-rd-web-access.aspx

    -Taylorbox

    Friday, February 27, 2015 9:58 PM

All replies

  • Hi,

    Did you receive any specific event log for your case?

    Generally by disabling NLA the user can change the password through RDP session. Please try to disable the NLA policy setting under below path and verify.
    Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
    Require user authentication for remote connections by using Network Level Authentication: Disable

    Hope it helps!

    Thanks.

    Dharmesh Solanki

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Saturday, February 28, 2015 7:26 AM
  • Are your users making dire t rdp or via a broker?

    Regards, Samir Farhat Infrastructure Consultant

    Saturday, February 28, 2015 10:38 AM
  • Dharmesh,

    We have already disabled NLA using that group policy setting. It is in our Default Domain Policy, which is enforced and applies to all of our clients, servers, and domain controllers. I even confirmed that this setting is not enabled on any of our computers via their local group policy.

    I noted that this GPO's description says: "On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default." But this does not mean that NLA cannot be disabled at all on 2012 / Win8 and newer, does it?

    When I RDP using an account with an expired password, the destination server logs the following Audit Failure event 4625 in its Security log:

    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: <the_username_with_expired_password_is_shown_here>
    Account Domain: <the_Active_Directory_domain_is_shown_here>

    Failure Information:
    Failure Reason: The specified account's password has expired.
    Status: 0xC000006E
    Sub Status: 0xC0000071

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: <the_workstation_name_is_shown_here>
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This same event is logged on Windows Server 2008 R2 as well as 2012 R2, yet, as I wrote previously, in the 2008 R2 RDP session we are allowed to change the expired password.

    Since NLA is disabled, why are we not allowed to change our expired passwords on 2012 R2 / Win8.1?

    -Taylorbox
    • Edited by Taylorbox Saturday, February 28, 2015 1:46 PM
    Saturday, February 28, 2015 1:42 PM
  • Samir,

    We are simply using normal RDP logon sessions (2 sessions maximum on our servers). We do not use Remote Desktop connection brokers or gateways or server farms or anything like that.

    -Taylorbox

    Saturday, February 28, 2015 1:46 PM
  • Does anyone have any more input or advice for me on this issue?

    -Taylorbox

    Wednesday, March 4, 2015 1:36 PM
    • Edited by Kindersama Thursday, March 12, 2015 9:09 AM
    Thursday, March 12, 2015 9:09 AM
  • Thank you, Kindersama. Changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer value from 1 to 0 does indeed allow the user to change their expired password on Windows Server 2012 R2. I also found that, as an alternative, leaving the SecurityLayer value set to 1 but changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel value from 3 or 2 to 1 also allows the user to change their expired password.

    Unfortunately, these changes also lower the security of the RDP connection, basically reverting it back to Windows XP/Windows Server 2003 level security. What's strange is that it is not necessary to lower this security setting on Windows Server 2008 R2 in order to allow users to change their expired passwords. But for some reason this is necessary on Windows Server 2012 R2. Why? Can anyone tell me why??

    We of course very much prefer to not run our 2012 R2 Windows servers with old and weak RDP security/encryption settings... 

    Thursday, March 12, 2015 4:29 PM
  • Hi,

    I have been facing the same issue. To solve it; I have also enabled the following GPO on all Windows 2012 R2 servers:

    Computer Configuration\Policies\Windows Settings\Security Options\Interactive logon: Prompt user to change password before exporation

    I have put  a prompt  5 day before pasword expiry ;but this working also for the password allready expired.

    (The NLA must also be disabled.As you specified)

    Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
    Require user authentication for remote connections by using Network Level Authentication: Disable)

    Wednesday, April 1, 2015 12:32 PM
  • Thanks a lot. This exactly resolved my Problem!

    Sunday, April 5, 2015 11:04 AM
  • Hi Taylorbox.

    Did you find a solution/answer for this? How can this be fixed (or workaround) in Windows 2012 R2, without weakeaning security? Thanks

    Tuesday, April 14, 2015 9:15 PM
  • Hello walterso2k,

    Nope, no solution. There's only the workaround that lowers the security of the RDP connection. I presume that disabling Network Level Authentication on Windows Server 2012 R2 actually has no effect (unlike Windows Server 2008 R2). That is, NLA is apparently "hard coded" to be always enabled on 2012 R2 unless lowering the RDP security level.

    Too bad I cannot get anyone from Microsoft to confirm this...

    -Taylorbox

    Tuesday, April 14, 2015 9:29 PM
  • Well, thanks anyway :)
    Tuesday, April 14, 2015 9:48 PM
  • I'm seeing the same thing trying to connect from Windows 8.1 to server 2012 R2.  I have require NLA disable on the 2012 R2 server and I can connect and change my password connecting from Windows 7 RDP.  But connecting from 8.1 RDP client I can't connect and change the password.

    I found this and it works for me https://gist.github.com/pingec/7b391a04412a7034bfb6

    You have to add enablecredsspsupport:i:0 to the Default.rdp file on the 8.1 computer.  Then I can finally connect and reset the password.

    Unfortunately this solution requires a change on all 8.1 client computers.

    Friday, May 8, 2015 4:47 AM
  • Most RDP clients would have NLA enabled on the client side (as it is mostly a client-side functionality). Thus disabling it server-side is only half of the solution.

    On a client-side create an RDP connection file (you can leave connection properties blank), then edit RDP file in notepad adding the following at the top - enablecredsspsupport:i:0

    You can then click on the RDP file and supply connection information (host/credentials)

    Wednesday, October 7, 2015 1:44 AM
  • I know this is an old post but, in case this is helpful to anyone...

    http://woshub.com/allow-users-to-reset-expired-password-via-rd-webaccess-windows-server-2012/ 

    Tuesday, November 10, 2015 7:41 PM
  • Solved it for me!

    Just a note: the actual first policy configuration path (on Win2012R2 domain group policy) is Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration.

    Monday, July 25, 2016 3:18 PM
  • That worked. Thanks!
    Sunday, February 25, 2018 7:46 AM
  • It's not obvious to users exactly HOW to change their passwords in a RDS client session: They need to press CTRL+ALT+END and then select "Change a password" after logging in. I put up a logon message that provides this instructions in addition to my Help Desk phone number.

    anthony maw/vancouver/canada

    Tuesday, March 20, 2018 10:04 PM
  • It's not obvious to users exactly HOW to change their passwords in a RDS client session: They need to press CTRL+ALT+END and then select "Change a password" after logging in. I put up a logon message that provides this instructions in addition to my Help Desk phone number.

    anthony maw/vancouver/canada

    Anthony - your solution is only partly helping in this case - you're not reading OP properly:

    "...change EXPIRED passwords"

    Your solution will only work for passwords that are still valid - however second part of your solution: "...in addition to my Help Desk phone number" is in fact the only solution that will work for an end-user with no administrative access if the password is already expired...call helpdesk...

    Thursday, May 31, 2018 10:46 AM
  • Works for Me! Thanks
    Thursday, January 17, 2019 10:24 AM