Hello World,
Today, we will discuss a common topic that shows up when users are allowed to perform direct rdp connections to the Remote Host Session servers. This is not something new and if you google about this issue, you will find a lot of resources addressing that issue……
The situation
You have some users that can perform a direct remote desktop connection to the RD Host Session server (Full Desktop access). However, because the user do not remember its password (he just came back from holidays 🙂 ) or because of an issue where a reset of the password was needed. In this case, the support team would provide an initial password to the user and the use the option “user must change password at next logon” to ensure that the password policy of your organization is compliant.
Click on Picture for Better Resolution
If you are using RDS 2012 R2, by default, security settings will be set to use the NLA (Network Level Authentication) option. This settings provides a higher level of security.
If a user who needs to change password at next login tries to connect to a RD Host Session server while NLA option is enabled, the user will receive the following error message and connection will not occur
Click on Picture for Better Resolution
You might also receive some other message errors related to NLA which can be related to the situation described above
Click on Picture for Better Resolution
The possible options
The issue comes from the fact that the NLA option is enabled and that the RDP Client enforce the usage of this feature as well.
Option 1 – Provide a Temporary Password to the user
You could provide a temporary password to the user so he can perform the first login. Then, you have to monitor and ensure that the user is performing a change password within the Remote session. To change the password, the user can press Ctrl+Alt +End to display the necessary screen option.
Click on Picture for Better Resolution
Note : You could also provide a really complex password which will force the user to change it immediately…
Option 2 – Temporary password and utility to reset it after first login
This option is similar to the first one. The main difference here is we want to be sure that the user will change the password at first login. So, we could think of a solution where when the user first login into the remote session, a utility will be presented to the user in order for him to change the password. If the password is not changed at the first login, the user will have no access to the remote session.
This could be a script, a custom utility that would run at logon which will check that the password has been changed and will grant access to the remote session….
Option 3 – Disable NLA option on the RDS server
You could disable the NLA option on the server side and lower your security settings. But this would not be enough…. You will also need to change the way the rdp client is configured in order to perform the connection.
Click on Picture for Better Resolution
If you simply change the option at the server level (disable NLA), the same error will popup while trying to connect via the remote desktop client.
To be able to access the remote session, you will need to create a custom .rdp file. Open your rdp client and click on the show options
Click on Picture for Better Resolution
In the rdp client, click on save as button
Click on Picture for Better Resolution
Specify the name of the file to be used and save it to your favorite location
Open the saved rdp file using notepad and append at the end of the text the following text enablecredsspsupport:i:0
Click on Picture for Better Resolution
Save the file
Double-click on it and you should be able to connect to you remote desktop server and change your password
Note :
I didn’t know about the changes needed at the rdp client level. I have found all the necessary information about that in the following post : https://mssec.wordpress.com/2015/12/26/forced-password-change-at-next-logon-and-rdp/ . This post was really useful for us in order to write this one…. Thank you to the author
Option 4 – Change Password Web Page (My Preferred Option)
If you have RDS 2012 R2 infrastructure, you have a RD Web server installed by default. This is required role in a RDS Farm. Simply provide the url of the web page where the user can change the password and then the user will be able to login into the Remote Session.
Click on Picture for Better Resolution
This solution is easy, simple to implement. The solution is kind of included in the product
Final Notes
Since the introduction of NLA feature, RDP connection should be more secure but this introduce some challenges in the way the support team needs to administer and face customer issues and requests. With a little bit of good sense, you can see that instead of going for really crazy solutions, we could simply take care of a “hidden” feature available out-of-the-box with RDS infrastructure and allow users to perform the change of the password in an quite easy way.
Hope you enjoy this post
Till next time
See ya
The setting to add to the RDP file is
enablecredsspsupport:i:0
Otherwise a useful page.
@Steve;
Thank you for the feedback and the visit…indeed, there is a typo in the blog, we have fixed it
Till next time
See ya