Issue in Windows 2012 R2 when setting RDP users to change password upon login

We have had issues where RDP users haven’t been able to login on a remote desktop terminal server when the “user much change password at next logon” button has been checked in user properties – see screenshot #1 below. Various comments and posts online indicate that changes in the windows authentication process in recent OS versions don’t allow this change if Network Level Authentication or Credential Security Support Provider (CredSSP)  is enabled.  This is only an issue trying to force users to change their password on a RDP session – it works fine from a console session if you are local to the machine.  Here is a workaround as well as alternatives you may consider:

 

  1. Don’t use this option to force users to change their password. Instead, have them manually change it upon logon by pressing control-alt-end and following the change password prompts. Another option is to create a complex, strong password for them without having them change it upon first logon (may be safest route in certain situations) or have them select their own password but enter it with the Administrator while on the admin session and not select the change at next logon option.
  2. NOT RECOMMENDED IN GENERAL – If you still want to use this option to force password change, you could turn off NLA and change RDP security layer to the RDP native security. See screenshot #2 below on turning off NLA. See screenshot #3 below on enabling a group policy to select the RDP security layer instead of negotiate (typically the default) or SSL/TLS. Using NLA and the higher security layers are usually recommended on your server for security reasons.
  3. Note: if you are having issues logging in to the server from RDP and getting errors about domain validation (when in workgroup mode and there is no domain) and often from the MAC remote desktop client, make sure you are logging in with the full name which is “machinename\username” instead of just username. Machinename is the name given to the server, which you can see under computer properties.

 

SCREENSHOT #1

User_Properties_General_Tab

SCREENSHOT #2

Turn_off_NLA

SCREENSHOT #3

Change_RDP_Security_Layer