RDS 2012 R2 – User Must Change Password at Next Logon

Hello World,

Today, we will discuss a common topic that shows up when users are allowed to perform direct rdp connections to the Remote Host Session servers.  This is not something new and if you google about this issue, you will find a lot of resources addressing that issue……

The situation

You have some users that can perform a direct remote desktop connection to the RD Host Session server (Full Desktop access). However, because the user do not remember its password (he just came back from holidays 🙂 ) or because of an issue where a reset of the password was needed.  In this case, the support team would provide an initial password to the user and the use the option “user must change password at next logon” to ensure that the password policy of your organization is compliant.

ChangePwd_1

Click on Picture for Better Resolution

If you are using RDS 2012 R2, by default, security settings will be set to use the NLA (Network Level Authentication) option. This settings provides a higher level of security.

If a user who needs to change password at next login tries to connect to a RD Host Session server while NLA option is enabled, the user will receive the following error message and connection will not occur

ErrorMessage1

Click on Picture for Better Resolution

You might also receive some other message errors related to NLA which can be related to the situation described above

ChangePwd_7

Click on Picture for Better Resolution

The possible options

The issue comes from the fact that the NLA option is enabled and that the RDP Client enforce the usage of this feature as well. 

Option 1 – Provide a Temporary Password to the user

You could provide a temporary password to the user so he can perform the first login. Then, you have to monitor and ensure that the user is performing a change password within the Remote session.  To change the password, the user can press Ctrl+Alt +End to display the necessary screen option.

ChangePwd_3

Click on Picture for Better Resolution

Note : You could also provide a really complex password which will force the user to change it immediately…

Option 2 – Temporary password and utility to reset it after first login

This option is similar to the first one. The main difference here is we want to be sure that the user will change the password at first login. So, we could think of a solution where when the user first login into the remote session, a utility will be presented to the user in order for him to change the password.  If the password is not changed at the first login, the user will have no access to the remote session.

This could be a script, a custom utility that would run at logon which will check that the password has been changed and will grant access to the remote session….

Option 3 – Disable NLA option on the RDS server

You could disable the NLA option on the server side and lower your security settings.  But this would not be enough…. You will also need to change the way the rdp client is configured in order to perform the connection.

ChangePwd_2

Click on Picture for Better Resolution

If you simply change the option at the server level (disable NLA), the same error will popup while trying to connect via the remote desktop client.

To be able to access the remote session, you will need to create a custom .rdp file.  Open your rdp client and click on the show options

ChangePwd_4

Click on Picture for Better Resolution

In the rdp client, click on save as button

ChangePwd_5

Click on Picture for Better Resolution

Specify the name of the file to be used and save it to your favorite location

Open the saved rdp file using notepad and append at the end of the text the following text enablecredsspsupport:i:0

ChangePwd_6

Click on Picture for Better Resolution

Save the file

Double-click on it and you should be able to connect to you remote desktop server and change your password

 

Note :  

I didn’t know about the changes needed at the rdp client level.  I have found all the necessary information about that in the following post : https://mssec.wordpress.com/2015/12/26/forced-password-change-at-next-logon-and-rdp/  . This post was really useful for us in order to write this one…. Thank you to the author 

Option 4 – Change Password Web Page (My Preferred Option)

If you have RDS 2012 R2 infrastructure, you have a RD Web server installed by default.  This is required role in a RDS Farm. Simply provide the url of the web page where the user can change the password and then the user will be able to login into the Remote Session.

RD_PWD6

Click on Picture for Better Resolution

This solution is easy, simple to implement. The solution is kind of included in the product

Final Notes

Since the introduction of NLA feature, RDP connection should be more secure but this introduce some challenges in the way the support team needs to administer and face customer issues and requests. With a little bit of good sense, you can see that instead of going for really crazy solutions, we could simply take care of a “hidden” feature available out-of-the-box with RDS infrastructure and allow users to perform the change of the password in an quite easy way.

Hope you enjoy this post

Till next time

See ya

 

 

2 thoughts on “RDS 2012 R2 – User Must Change Password at Next Logon

Leave a Reply