RDS – Allow users to reset expired password

Hello World,

I know…it has been a long time since I didn’t post any new stuff on my blog. The reason is that I’m really overloaded by work. So, It’s becoming difficult to get some free time to blog.  Anyway, let’s have a look a the topic of the day.

In this post, we will discuss about the password management while working or implementing Remote Desktop Services.  In a standard situation, a user would login into the workstation and could start using the remoteapp functionality.  If the password has expired while login into the computer; the user will be prompted to reset the password and the login process could proceed.

In another standard situation, you have published your Remote Web Access Role server (through the Remote Gateway) and the user can basically access the server from the internet.  In this case, if the password expired (by default) the user would not be able to reset the password.  User would call the helpdesk and start the resetting password process within your company.

In the last years, we have seen that IT services tend to delegate a certain number of tasks to the users (through Self-Service Portal).  In fact, Remote Desktop services  offer the possibility to allow a user to reset their own password through the web interface.  This feature is turned off by default but If you would like to offer a better user experience you might wanna consider to use this option.

This feature is terrific because it minimize user frustration when password has expired and you still have a good level of security (i.e password policy and reset password process).

In this post, we will show you how you can enable this feature and how it works…

Enabling Password Reset for RemoteApp Solutions

Windows 2012 R2  Operating System

If you are running Windows 2012 R2, you will need to go to your Remote Web Access server.  If you browse to the following location :

C:\Windows\Web\RDWeb\Pages\en-US

you will see that you have a web page called password.aspx

Click on Picture for Better Resolution

If you try to browse to this page (with no prior configuration) using the following url https://<RDWebServer>/RDWeb/Pages/en-us/password.aspx, you will be redirected to the normal remote web access login page.

To access this page, you will need to enable this feature at the IIS level.  You will enable this feature by performing the following actions :

Step 1 – Open the Internet Information Service Management Console (Inetmgr)

Step 2 – Expand the treeview (on the left side) Sites>Default Web Site > RDWeb >Pages

Click on Picture for Better Resolution

Step 3 – at the Pages node level, in the mid pane, click on the Applications Settings icons

Click on Picture for Better Resolution

Step 4 – in the applications settings page, double-click on the PasswordChangeEnabled

Click on Picture for Better Resolution

Step 5 –  in the popup box, replace the value false by the value true

Step 6 – Confirm that the value has been changed to true in your Console

Click on Picture for Better Resolution

After that, you are ready to go !  Your users will be able to change password through the web interface in case the password has expired.

Click on Picture for Better Resolution

Windows 2008 R2  Operating System

Now, if you are using Windows 2008 R2, you can also implement such feature the same way we described here above. However, before you can enable this feature, you will need to download a hotfix from microsoft.  This hotfix will basically copy the password.aspx page (and associated code) to your remote Web Access server. Once installed, you can perform the same operations in the internet Information service console to enable the feature.

 

Testing the Change Password Tool

 
We will test that this web based Reset Password Tool is working as expected.  To test this, we have created a user account called expired. To have the password expired for this user, we have changed the value of the following attribute PwdLastSet and set it to 0
 

Click on Picture for Better Resolution

By setting a null value to the PwdLastSet attribute, we are basically saying to Active Directory that the password is expired.  So, when this user will try to login into the RemoteApp web interface, the following message will be displayed.

Click on Picture for Better Resolution

After clicking on the link; the user will be redirected to the change password web form and the user will be able to change its password.

Click on Picture for Better Resolution

If the password is changed succesfully, the user will see a success message. By Pressing the OK button; the user will be redirected to the login page.  The user can then proceed with the login operation.

Click on Picture for Better Resolution

This Change Reset Password tool take into account the Password Policy requirements that you have implemented within your Active Directory.  If you require password complexity and password history, if the user tries to reset the password through the web interface without respecting password complexity or password history, the tool will not let the user change the password

Click on Picture for Better Resolution

The tool has been developed with security in mind.

Final Notes

We have seen how easy it is to implement a simple and efficient password management solution while using Remote Desktop services.  This feature is disabled by default on Windows 2012 R2 but can easily be enabled.

I had a lot of questions from my customers about this password reset web tool.  As the name implies, this tool can be used when the password of a user is expired.  Some customers asked me if this tool could be used when helpdesk was creating a new user account and set the flag “User Must Change Password at next Logon”.  The answer is :

Yes, you can use this web interface to allow user to change their password if the user Must change Password at next logon option is selected.

Actually, when you check this option “User Must Change Password at next Logon, you are basically forcing the password to expire.  If you look at a user account properties where the option User Must Change Password at next logon is not selected, you can see that the PwdLastSet attribute contains a date value.

Click on Picture for Better Resolution

After checking the option “User Must change Password at Next logon, if you look at the PwdLastSet attribute,  you will see that the value is set to zero. (exactly what we did above to test password expiration)

Click on Picture for Better Resolution

And Voila !  Not only we are offering access to your infrastructure via the web interface but moreover you are able to offer your users the possibility to change their passwords in a clean,secure and easy way (still through the web interface).  This is the best option when you have a lot of remote users or users that needs to access your infrastructure through internet kiosk machines.

Hope you enjoy this post

Till next time see ya

18 thoughts on “RDS – Allow users to reset expired password

  1. Hello Richard,

    In this post, we provide a link to this hotfix….
    in the Windows 2008 R2 Operating System section, there is a red text called hotfix. If you click on it, you will be redirected to the microsoft page where the update can be downloaded

    Hope this help
    Till next time
    See ya

  2. in my case works fine until password change. Password is changed but no confirmation page is shown. An 404 page not found is showed after a few seconds. I understand that user is not allowed to show page becouse password change but i don’t know how to solve it.
    thanks

  3. Hello There,

    I do not understand your problem. If you go to the change password page, and you change the password, at the bottom of the form, you should have a link that would redirect you to the login page. This is out-of-the box and there is no need to change or configure anything..

    Have you changed the code in the aspx pages for RDWeb or didn’t you change any iis configuration ?
    If not, I have no clue where the issue could be… is there any logs, eventvwr that would provide us a direction where to look.

    Hope this help
    Till next time

  4. Unfortunately it doesn’t work for me. The link to the password.aspx page redirects me to the login page even after changing the value to true and restarting IIS.

  5. @Aggelos,

    This should be working. Some Questions to try debugging…

    Are you sure you are performing all the actions needed ?
    Are you sure you are performing the actions on the proper servers ?
    Can you describe your RDS FARM. Can you check that you have performed the change at the correct virtual directory level ?
    Do you have one or multiple RDS Web servers ? IF multiple; you need to perform that on all servers
    Have you closed/open your Browser and cleanup on Exit
    Can you provide some screenshots of your configuration ?

    Hope this help
    Till next time

    See ya

  6. Constantly getting this message – unsure why. 2012R2 server is using our domain password policy which is 6 remembered, 6 chars length min, not using complexity.

    Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.

  7. @Jeremy,

    Password Policy will apply to your RDS 2012 R2 login and reset page.
    You didn’t specify if this is for the same user or all users…..

    The only thing I could think of is the Domain Password Policy. If you have a minimum age password different than 0 (in your GPO), then you have to wait at least the amount of time before the user can change password.

    Give it a try and provide feedback…

    Till next time
    See ya

  8. Question though, i am only using the password.aspx. I want to remove the domain\ from the screen so they just need to enter in their user names. How do i accomplish this?

  9. HI
    If a user has forgotten his login password, can user reset password by themself using RemoteApp

  10. @Subaharan,

    No, the user needs to know the previous password in order to use the reset password page available when installing remoteapps…
    To meet your requirements, you could use a self-service portal solution where the users needs to answer to a number of questions which will them offer the possibility to reset their password without knowing the old one.

    Hope this help
    Till next time

  11. @Shazad,

    The password change web change page can be used for a user to change his password even if password is not expiring. As long as user know the url of the page, he can change password
    Hope this help
    Till next time
    See ya

Leave a Reply