Terminal Service Plus

Hi,
we have a setup made of domain joined Windows 2012 R2 server using Flexicloud application servers behind your Reverse Gateway.
All servers are updated to latest windows update, the application server use Flexicloud v 11.60.10.19, Reverse Gateway use Flexicloud v 10.4.8.5.
Client computers have latest Windows Update and the Flexicloud client v 11.50.0.62, are connecting from Wan, not domain joined.
Users are consuming seamless applications via RemoteApp client.

A domain policy force users to change their password periodically, but they are able to change change the expired password only through the HTML5 client and only if the "Allow connection only from computers running Remote Desktop with Network Level Authentication" checkbox is disabled in SystemPropertiesRemote.exe.

There is no way to change the expired password when using the RemoteApp connection because they get a message box saying "You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support."

If I enable the NLA on SystemPropertiesRemote.exe and login with the HTML5 client, after entering the expired password they get a yellow warning stating:
Network Level Authentication
RDP: 127.0.0.1:3389
CredSSP required by server!

and login is interrupted. Logging with the RemoteApp client says the usual message "You must change your password before logging on ..."

There is a way to permit users to change their password when expired through the RemoteApp client and moreover with the NLA enabled on on SystemPropertiesRemote.exe ?

Cheers.

cmarsura wrote: ↑

Mon Oct 22, 2018 3:52 pm

There is a way to permit users to change their password when expired through the RemoteApp client and moreover with the NLA enabled on on SystemPropertiesRemote.exe ?

Hello,

that is not possible on Windows RDP servers.
https://support.microsoft.com/en-us/hel ... te-desktop

In the protocol specification for CredSSP, there is no reference to the ability to change the user's password while NLA is running. Therefore, the observed behavior can be considered "by design."

CredSSP is the underlying technology that enables NLA, and it does not support password changes. Therefore, password changes are not enabled in MSTSC. Other RD clients that support NLA should be unable to change the user’s password.

So, turning off NLA, there is a way to permit the users to change their expired passwords without going trough the HTML5 client ?

Thanks.

Hello,

Use ctrl + alt + end to display the task manager and allow your users to change their password.

Yes, the ctrl + alt + end must be used in normal condition when the user decides to change the password, but I am referring to when the password change is initiated by OS, for example when there is a password policy that expires user's passwords after a specified time; in that situation the user gets a message box that says "You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.". No ctrl + alt + end is accepted and dismissing the message box returns him to login dialog.

This is the issue that I am try to solve.

Hello,

when NLA is disabled doesn't mean automatically that RemoteApp client would degrade the connection automatically. By HTML5 client if CredSSP is not enforced on server then the client will degrade connection automatically by going each time one level down. As example initially 3=SSL + NLA(CredSSP) failure? then try 2=SSL only, still failure? then try 1=RDP-only security, and therefore by HTML5 client you are able to see logon window when CredSSP not enforced and wrong logon used, or when password field is empty wich would predictably mean failure.
Native client, also RemoteApp doesn't have such auto-degrading logic, by first failure it will just exit. There you must explicitelly tell to the client to not use CredSSP, also create/edit *.rdp file with added
enablecredsspsupport:i:0
however that wouldn't affect RemoteApp client and this setting must be used so with mstsc.exe
And highly that will never be used inside RemoteApp client since permanent enforcing of this setting would cause always degraded security.
Additionally you can change
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel
to 1

On ther hand there is another recommendation instead to change security level allow to change password before expiration with gpedit.msc
Computer Configuration\Policies\Windows Settings\Security Options\Interactive logon: Prompt user to change password before exporation
(or similar path)

and
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Require user authentication for remote connections by using Network Level Authentication: Disable)