none
Cannot change expired passwords in RDS - Server 2008 R2 RRS feed

  • Question

  • We have an issue where our users are not able to change their passwords via RDP when connecting to a Server 2008 R2 RDS farm.  We are not using RD Gateway.  When a user with an expired password attempts to connect to the farm, they get this alert, "You must change your password before logging on the first time.  For assistance, contact your system administrator or technical support"  This would not be the users first time logging in as some of our users forget their passwords and we have to reset and force a change at next logon. 

    I get the error message when i user my Win7 (fully patched) notebook to try to connect to the farm.  I would rather not change the Security Layer of the RDS Host from Negotiate to RDP Security Layer if i could avoid it.  I've also tried to install both of these hotfixes (client side and server side) but during the setup process, i get an error stating the hotfix is not applicable to my setup.

    Server - http://support.microsoft.com/kb/2648402?wa=wsignin1.0

    Client -http://support.microsoft.com/kb/2648397

    How can we allow our users to change their expired passwords?

    Cheers!

    Little Richard

     

    Thursday, December 6, 2012 4:41 PM

Answers

  • There is a lot of confusion about this hotfix, and I admit the article implies that all you have to do is install the hotfix and all is well.  There is more to it than that.  It's a feature that adds the capability to change an expired password only if you use RDWeb.

    Yes, you do need to install the fix, but it needs to be installed on your RDWeb server as that is where the change/fix is implemented.  This is explained in the Prerequisites section of the article:

    To apply this hotfix, you must be running Windows Server 2008 R2 or Windows Server 2008 R2 Service Pack 1 (SP1). Additionally, you must have the Remote Desktop Services server role installed and both the Remote Desktop Session Host and Remote Desktop Web Access role services enabled.

    After you install the fix, you must enable it.  When you install the hotfix on your RDWeb server, it updates the webpage code but leaves the option disabled by default.  You can either edit the webpage directly or use IIS admin to do it:

    Open %systemDrive%/windows/web/rdweb/pages/web.config  and set the below highlighted value to TRUE.

    <!-- PasswordChangeEnabled: Provides password change page for users. Value must be "true" or "false" -->   <add key="PasswordChangeEnabled" value="false" />

    Or see this blog on how to do it with IIS (this feature is built-in to Windows Server 2012 now): http://social.technet.microsoft.com/wiki/contents/articles/10755.enabling-the-rd-webaccess-expired-password-reset-option-in-windows-server-2012.aspx

    After enabling the fix, users will see a new web page that allows them to change their password. 


    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging


    Thursday, December 6, 2012 5:22 PM
  • You must use RDWeb to enable this fix.  Alternatively, if you have OWA you can direct users to change their password there.

    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    Thursday, December 6, 2012 5:34 PM

All replies

  • There is a lot of confusion about this hotfix, and I admit the article implies that all you have to do is install the hotfix and all is well.  There is more to it than that.  It's a feature that adds the capability to change an expired password only if you use RDWeb.

    Yes, you do need to install the fix, but it needs to be installed on your RDWeb server as that is where the change/fix is implemented.  This is explained in the Prerequisites section of the article:

    To apply this hotfix, you must be running Windows Server 2008 R2 or Windows Server 2008 R2 Service Pack 1 (SP1). Additionally, you must have the Remote Desktop Services server role installed and both the Remote Desktop Session Host and Remote Desktop Web Access role services enabled.

    After you install the fix, you must enable it.  When you install the hotfix on your RDWeb server, it updates the webpage code but leaves the option disabled by default.  You can either edit the webpage directly or use IIS admin to do it:

    Open %systemDrive%/windows/web/rdweb/pages/web.config  and set the below highlighted value to TRUE.

    <!-- PasswordChangeEnabled: Provides password change page for users. Value must be "true" or "false" -->   <add key="PasswordChangeEnabled" value="false" />

    Or see this blog on how to do it with IIS (this feature is built-in to Windows Server 2012 now): http://social.technet.microsoft.com/wiki/contents/articles/10755.enabling-the-rd-webaccess-expired-password-reset-option-in-windows-server-2012.aspx

    After enabling the fix, users will see a new web page that allows them to change their password. 


    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging


    Thursday, December 6, 2012 5:22 PM
  • Thanks dgeddes and hopefully there will be a hockey season!!

    We do not use a RDWeb server or RD Gateway.  The only roles we use is the Connection Broker, License Manager, and RDS Host (of course).

    Thursday, December 6, 2012 5:32 PM
  • You must use RDWeb to enable this fix.  Alternatively, if you have OWA you can direct users to change their password there.

    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    Thursday, December 6, 2012 5:34 PM
  • All of our traffic is internal (local) so there is no need for us to use RDWeb, unless i'm not fully understanding the need for RDWeb.  Hopefully this isn't the only solution. 

    Thanks again dgeddes!

    Cheers!

    Little Richard.

    Thursday, December 6, 2012 6:04 PM
  • Is there any reason your users cannot use CTRL-ALT-DEL to change their password?  Are your client machines running Windows?

    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    Thursday, December 6, 2012 6:08 PM
  • 95% of our users are running on Thin Clients (the other 5% are PCs and i'm not worried about them).  I'd say half of them are running WES7 and the other half running CE terminals (with rdp 6.0).  The users running the CE terminals cannot get to CTRL-ALT-DEL to change their password.  They also authenticate before hitting the desitnation RDS server (NLA).  The users running WES7 are brought to a HP Connection Manager screen where they choose to connect to our RDS farm.  Again, these users cannot get to CTRL-ALT-DEL to change their password.  They also authenticate before getting to their destination server. 

    Thursday, December 6, 2012 7:13 PM
  • Hi,

    Please change your security layer to RDP.

    To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.

    Thursday, December 6, 2012 7:44 PM
  • In that case, RDWeb is your only option.  WES7 clients should be able to use CAD, unless their desktops are locked down and you are preventing them from doing so (I'm not familiar with HP Connection Manager).

    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    Thursday, December 6, 2012 7:44 PM
  • @Prvreddy (or anyone i suppose) - i've tested the change of security layer from negotiate to rdp security layer and here are my questions i have after my testing:

    1. Since we use NLB and connection broker, will our load be balanced across the farm even though the user is now authenticating on the server?

    2. Why do i get prompted to login multiple times after i change the security layer to RDP security.  The first authentication comes when i try to connect to the farm and the second authentication request seems to come when i to get to my destination host.

    Thursday, December 6, 2012 8:30 PM
  • Because changing the security layer to RDP Security Layer basically disables NLA and causes the authentication to work like Windows Server 2003.  You will continue to get multiple authentication prompts when you are redirected in a farm until you change the security layer back to Negotiate (the default setting).

    Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

    Thursday, December 6, 2012 9:49 PM