Hello World,
I know…it has been a long time since I didn’t post any new stuff on my blog. The reason is that I’m really overloaded by work. So, It’s becoming difficult to get some free time to blog. Anyway, let’s have a look a the topic of the day.
In this post, we will discuss about the password management while working or implementing Remote Desktop Services. In a standard situation, a user would login into the workstation and could start using the remoteapp functionality. If the password has expired while login into the computer; the user will be prompted to reset the password and the login process could proceed.
In another standard situation, you have published your Remote Web Access Role server (through the Remote Gateway) and the user can basically access the server from the internet. In this case, if the password expired (by default) the user would not be able to reset the password. User would call the helpdesk and start the resetting password process within your company.
In the last years, we have seen that IT services tend to delegate a certain number of tasks to the users (through Self-Service Portal). In fact, Remote Desktop services offer the possibility to allow a user to reset their own password through the web interface. This feature is turned off by default but If you would like to offer a better user experience you might wanna consider to use this option.
This feature is terrific because it minimize user frustration when password has expired and you still have a good level of security (i.e password policy and reset password process).
In this post, we will show you how you can enable this feature and how it works…
Enabling Password Reset for RemoteApp Solutions
Windows 2012 R2 Operating System
If you are running Windows 2012 R2, you will need to go to your Remote Web Access server. If you browse to the following location :
C:\Windows\Web\RDWeb\Pages\en-US
you will see that you have a web page called password.aspx
Click on Picture for Better Resolution
If you try to browse to this page (with no prior configuration) using the following url https://<RDWebServer>/RDWeb/Pages/en-us/password.aspx, you will be redirected to the normal remote web access login page.
To access this page, you will need to enable this feature at the IIS level. You will enable this feature by performing the following actions :
Step 1 – Open the Internet Information Service Management Console (Inetmgr)
Step 2 – Expand the treeview (on the left side) Sites>Default Web Site > RDWeb >Pages
Click on Picture for Better Resolution
Step 3 – at the Pages node level, in the mid pane, click on the Applications Settings icons
Click on Picture for Better Resolution
Step 4 – in the applications settings page, double-click on the PasswordChangeEnabled
Click on Picture for Better Resolution
Step 5 – in the popup box, replace the value false by the value true
Step 6 – Confirm that the value has been changed to true in your Console
Click on Picture for Better Resolution
After that, you are ready to go ! Your users will be able to change password through the web interface in case the password has expired.
Click on Picture for Better Resolution
Windows 2008 R2 Operating System
Now, if you are using Windows 2008 R2, you can also implement such feature the same way we described here above. However, before you can enable this feature, you will need to download a hotfix from microsoft. This hotfix will basically copy the password.aspx page (and associated code) to your remote Web Access server. Once installed, you can perform the same operations in the internet Information service console to enable the feature.
Testing the Change Password Tool
We will test that this web based Reset Password Tool is working as expected. To test this, we have created a user account called expired. To have the password expired for this user, we have changed the value of the following attribute PwdLastSet and set it to 0
Click on Picture for Better Resolution
By setting a null value to the PwdLastSet attribute, we are basically saying to Active Directory that the password is expired. So, when this user will try to login into the RemoteApp web interface, the following message will be displayed.
Click on Picture for Better Resolution
After clicking on the link; the user will be redirected to the change password web form and the user will be able to change its password.
Click on Picture for Better Resolution
If the password is changed succesfully, the user will see a success message. By Pressing the OK button; the user will be redirected to the login page. The user can then proceed with the login operation.
Click on Picture for Better Resolution
This Change Reset Password tool take into account the Password Policy requirements that you have implemented within your Active Directory. If you require password complexity and password history, if the user tries to reset the password through the web interface without respecting password complexity or password history, the tool will not let the user change the password
Click on Picture for Better Resolution
The tool has been developed with security in mind.
Final Notes
We have seen how easy it is to implement a simple and efficient password management solution while using Remote Desktop services. This feature is disabled by default on Windows 2012 R2 but can easily be enabled.
I had a lot of questions from my customers about this password reset web tool. As the name implies, this tool can be used when the password of a user is expired. Some customers asked me if this tool could be used when helpdesk was creating a new user account and set the flag “User Must Change Password at next Logon”. The answer is :
Yes, you can use this web interface to allow user to change their password if the user Must change Password at next logon option is selected.
Actually, when you check this option “User Must Change Password at next Logon, you are basically forcing the password to expire. If you look at a user account properties where the option User Must Change Password at next logon is not selected, you can see that the PwdLastSet attribute contains a date value.
Click on Picture for Better Resolution
After checking the option “User Must change Password at Next logon, if you look at the PwdLastSet attribute, you will see that the value is set to zero. (exactly what we did above to test password expiration)
Click on Picture for Better Resolution
And Voila ! Not only we are offering access to your infrastructure via the web interface but moreover you are able to offer your users the possibility to change their passwords in a clean,secure and easy way (still through the web interface). This is the best option when you have a lot of remote users or users that needs to access your infrastructure through internet kiosk machines.
Hope you enjoy this post
Till next time see ya
How did you find this hotfix for Server 2008R2 is this posted somewhere?
Hello Richard,
In this post, we provide a link to this hotfix….
in the Windows 2008 R2 Operating System section, there is a red text called hotfix. If you click on it, you will be redirected to the microsoft page where the update can be downloaded
Hope this help
Till next time
See ya
Thank you!
No Problem
Till next time
See ya
in my case works fine until password change. Password is changed but no confirmation page is shown. An 404 page not found is showed after a few seconds. I understand that user is not allowed to show page becouse password change but i don’t know how to solve it.
thanks
Hello There,
I do not understand your problem. If you go to the change password page, and you change the password, at the bottom of the form, you should have a link that would redirect you to the login page. This is out-of-the box and there is no need to change or configure anything..
Have you changed the code in the aspx pages for RDWeb or didn’t you change any iis configuration ?
If not, I have no clue where the issue could be… is there any logs, eventvwr that would provide us a direction where to look.
Hope this help
Till next time
Unfortunately it doesn’t work for me. The link to the password.aspx page redirects me to the login page even after changing the value to true and restarting IIS.
@Aggelos,
This should be working. Some Questions to try debugging…
Are you sure you are performing all the actions needed ?
Are you sure you are performing the actions on the proper servers ?
Can you describe your RDS FARM. Can you check that you have performed the change at the correct virtual directory level ?
Do you have one or multiple RDS Web servers ? IF multiple; you need to perform that on all servers
Have you closed/open your Browser and cleanup on Exit
Can you provide some screenshots of your configuration ?
Hope this help
Till next time
See ya
Constantly getting this message – unsure why. 2012R2 server is using our domain password policy which is 6 remembered, 6 chars length min, not using complexity.
Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.
@Jeremy,
Password Policy will apply to your RDS 2012 R2 login and reset page.
You didn’t specify if this is for the same user or all users…..
The only thing I could think of is the Domain Password Policy. If you have a minimum age password different than 0 (in your GPO), then you have to wait at least the amount of time before the user can change password.
Give it a try and provide feedback…
Till next time
See ya
Yes that was it, our setting is set to 1. Waiting until next day then i could do it no problem.
Question though, i am only using the password.aspx. I want to remove the domain\ from the screen so they just need to enter in their user names. How do i accomplish this?
@Jeremy,
you have to update some of the js file and aspx file….
As I do not have the possibility right now to explain all the steps, I will redirect you to this web site
https://anandthearchitect.com/2013/11/10/rds-2012-how-to-login-to-rdweb-page-without-typing-domain-name/
Hope this help
Till Next time
see ya
HI
If a user has forgotten his login password, can user reset password by themself using RemoteApp
@Subaharan,
No, the user needs to know the previous password in order to use the reset password page available when installing remoteapps…
To meet your requirements, you could use a self-service portal solution where the users needs to answer to a number of questions which will them offer the possibility to reset their password without knowing the old one.
Hope this help
Till next time
kindly update, will it work only if the user password has expired or forced to change password.
or it works all tje time when you like to change password…
@Shazad,
The password change web change page can be used for a user to change his password even if password is not expiring. As long as user know the url of the page, he can change password
Hope this help
Till next time
See ya
Hi, just to let know that i’ve done this on a Windows 2022 server and it works just fine.