troubleshooting Question

If one requires NLA, users cannot change their passwords prior to logon - why?

Avatar of McKnife
McKnifeFlag for Germany asked on
Remote AccessMicrosoft Server OSNetwork Security
12 Comments2 Solutions18868 ViewsLast Modified:
Hi experts.

We run a 2008 R2 remote desktop server. We require NLA (network level authentication)
My goal is to understand the following technical detail:
http://en.wikipedia.org/wiki/Network_Level_Authentication says:
"Not possible to log on and change password when "User must change password at next logon" is enabled on the user account"

While I can reproduce this unwanted effect myself, I don't understand it. Can anyone wiser give details on what exactly NLA changes so that this pw-change prior to logon is made technically inpossible?

Background: we would like to use RDP-SSO. That however requires NLA. And NLA "destroys" the ability to setup new users with the attribute "User must change password at next logon" if those users are only able to logon via RDP - they are simply rejected with the error "An authentication error has occurred. The local security authority cannot be contacted".
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 2 Answers and 12 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros