You cannot change an expired user account password in a remote desktop session that connects to a Windows Server 2008 R2-based RD Session Host server in a VDI environment

Article translations Article translations
Article ID: 2648402 - View products that this article applies to.
Expand all | Collapse all

On This Page

Symptoms

Consider the following scenario:
  • You have a Remote Desktop Session Host (RD Session Host) server that is running Windows Server 2008 R2 in a Virtual Desktop Infrastructure (VDI) environment. Or, you have remote apps that are published through RDWeb.
  • You enable the Allow connections only from computers running Remote Desktop with Network Level Authentication option in the RDP-Tcp Properties dialog box by using the Remote Desktop Session Host Configuration tool (Tsconfig.msc).
  • You establish a remote desktop session to the server from a client computer by using a user account that was granted Remote Desktop access.
  • The password of the user account is expired.
  • You receive the following error message:
    You must change your password before logging on the first time. For assistance, contact your system administrator or technical support.
In this scenario, a prompt to change the password is not displayed. Therefore, you cannot change the password of the user account.

Note This issue also occurs in any RDP environment in which Network Level Authentication (NLA) and the Credential Security Support Provider (CredSSP) are enabled.

This issue occurs only when the client is not in the domain. If the client is in the domain, the client will be able to change the password.

The client will receive the error only when the client is not in domain. The client may also receive the following error message when the client logs in from the RDWeb role:

The user name or password that you entered is not valid. Try typing it again.
This error will change when you are connecting to VDIs or RDSHs directly from a non-domain-joined computer if the hotfix that is described in the following Microsoft Knowledge Base article is installed on the Windows 7 client:
2648397 You cannot change an expired user account password in a Remote Desktop session from a client computer that is running Windows 7 or Windows Server 2008 R2
However, users will not be able to make any password change from Mstsc.exe itself.

Resolution

To resolve this issue, you must install this hotfix on the server that is hosting the RDWeb role. This hotfix does not provide a method for changing a password directly through Mstsc.exe for non-domain-joined clients. However, after you install this hotfix, users who try to log on to RDWeb (that is , on to the web portal itself) by using an account that has an expired password will be redirected to the password change page. After they update their password, users will return to a functional state. They can log on to RDWeb and start RemoteApp sessions. They can also use .rdp files or Mstsc.exe.  

For more information, go to the following website:
CredSSP spec

In the protocol specification for CredSSP, there is no reference to the ability to change the user's password while NLA is running. Therefore, the observed behavior can be considered "by design." 

CredSSP is the underlying technology that enables NLA, and it does not support password changes. Therefore, password changes are not enabled in MSTSC. Other RD clients that support NLA should be unable to change the user’s password.

Unless you apply this hotfix on an RDWeb server and not on an RDSH server, you do not have to have the client hotfix that resolves the password change issue. That is, you do not have to have KB 2648397 installed on the Windows 7 client. After you have the server-side hotfix installed on RDWeb, it will also work for other versions of Windows such as Windows XP.

However, you must do more than install the hotfix on RD Web. After you install the hotfix, you have to set a flag to TRUE in the Web.config file. By default, the feature that this flag represents is turned off. To turn on the feature, follow these steps: 
  1. 1. Open the following file:

    %systemDrive%/windows/web/rdweb/pages/web.config
  2. Set the following value to TRUE:

    <!-- PasswordChangeEnabled: Provides password change page for users. Value must be "true" or "false" -->

    <add key="PasswordChangeEnabled" value="false" />
Sometimes, this line of code may be missing even after you install the hotfix. This behavior may occur because the Web.config file, together with most user-configurable files and registry settings, is marked as "mutable" in our servicing infrastructure. When the value is set to TRUE, Setup will not overwrite a file by using a later version if the user changed the original file. This behavior makes sure that a user's files, settings, and custom code are not overwrittenwhen an update is installed. If the Web.config file was changed or customized, the system will not overwrite the file.

If this line of code is missing, you should manually add it to the relevant Web.config file. This will enable the new functionality.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows Server 2008 R2 or Windows Server 2008 R2 Service Pack 1 (SP1). Additionally, you must have the Remote Desktop Services server role installed and both the Remote Desktop Session Host and Remote Desktop Web Access role services enabled.

For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To apply the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this hotfix. To avoid restarting, stop the Remote Desktop Session Host role service.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 R2 file information notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    Collapse this tableExpand this table
    VersionProductMilestoneService branch
    6.1.760 0.21xxxWindows Server 2008 R2RTMLDR
    6.1.760 1.21xxxWindows Server 2008 R2SP1LDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Tsportalwebpart.dll6.1.7600.21099294,91229-Nov-201109:34x86
Tsportalwebpart.dll6.1.7601.21868299,00829-Nov-201109:05x86
Config.aspxNot applicable69,89629-Nov-201110:42Not applicable
Default.aspxNot applicable45,95429-Nov-201111:00Not applicable
Login.aspxNot applicable59,72229-Nov-201110:51Not applicable
Password.aspxNot applicable44,34629-Nov-201110:42Not applicable
Tsportalwebpart.resources.dll6.1.7600.2109928,67229-Nov-201110:34x86
Tsportalsetup.exe6.1.7600.2109986,52829-Nov-201109:06x64
Tsportalwebpart.dll6.1.7600.21099294,91229-Nov-201109:34x86
Tswa_migplugin.dll6.1.7600.21099150,52829-Nov-201109:13x64
Web.configNot applicable4,77628-Nov-201123:35Not applicable
Tsportalsetup.exe6.1.7601.2186887,55229-Nov-201108:55x64
Tsportalwebpart.dll6.1.7601.21868299,00829-Nov-201109:05x86
Tswa_migplugin.dll6.1.7601.21868150,52829-Nov-201109:00x64
Web.configNot applicable4,95328-Nov-201123:33Not applicable

Workaround

To work around the issue, use one of the following methods:
  • Disable the Allow connections only from computers running Remote Desktop with Network Level Authentication option on the RD Session Host server.
  • Change the password of the user account by using a different method.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information

Additional file information for Windows Server 2008 R2

Additional files for all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameAmd64_1f9cdbb831ff3621e908f1f668eb2d53_31bf3856ad364e35_6.1.7601.21868_none_9bb2754af6a3e4e6.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_2407c47c6a9c8d893a83d59f509629d9_31bf3856ad364e35_6.1.7600.21099_none_2661075c9033597b.manifest
File versionNot applicable
File size689
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_33f1b25ec557b980c4faeb7a3c8f922c_31bf3856ad364e35_6.1.7600.21099_none_0102ff141625eb7d.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_3453a9f077da5e2ea7d0285c1c9d1a2c_31bf3856ad364e35_6.1.7601.21868_none_23d10909500b37c4.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_350ff33bc615223d45e733f2e66b45d0_31bf3856ad364e35_6.1.7600.21099_none_68e089b88cca6d95.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_39a843125b3572c637173895ec4cf0df_31bf3856ad364e35_6.1.7601.21868_none_d67b75983517b41d.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_39ca817956d00235bf9d7099cf714696_31bf3856ad364e35_6.1.7600.21099_none_8ee1b154f7988620.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_3dc0f2cd51d5c6f3f61601416ce51955_31bf3856ad364e35_6.1.7601.21868_none_ede4ed22aa754003.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_46fef516651011197bec03b5aa0621bc_31bf3856ad364e35_6.1.7600.21099_none_888204a624c94b0a.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_49dac3f1a33f1a38332cb278ff53b93e_31bf3856ad364e35_6.1.7600.21099_none_c0f45b7171d5267a.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_4f48ef45cebc15f3a40029546dd050aa_31bf3856ad364e35_6.1.7600.21099_none_3ab25e421a116e04.manifest
File versionNot applicable
File size689
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_4fc152bbd07435efe7db62d173c51033_31bf3856ad364e35_6.1.7601.21868_none_45ad8f1ecee4a186.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_5406898737171fd37149b5a6303e7b8c_31bf3856ad364e35_6.1.7600.21099_none_cecfda051530d75b.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_59978bbbb4b191c38fe4daadd6953b08_31bf3856ad364e35_6.1.7601.21868_none_46d7b4e157681eb0.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_601c8d389039b9941b1a0696b3d68988_31bf3856ad364e35_6.1.7601.21868_none_c6a9a958cdfefb8f.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_6422dd4ef5ee585ab90711304c38c991_31bf3856ad364e35_6.1.7601.21868_none_2856d8fbc47658e1.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_642f2c517b035d7a9d7c5afaaf4acff1_31bf3856ad364e35_6.1.7600.21099_none_d75b9adfdcaca558.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_6887c2ac69ef30febf92ab814680e4e5_31bf3856ad364e35_6.1.7600.21099_none_399f7b5ca2ef27f8.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_74d845c58341808860c113cdcf0afca8_31bf3856ad364e35_6.1.7600.21099_none_5471aabcb1b0a7b3.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_762e7fc69e47fd0ae4567e7f6e8437c0_31bf3856ad364e35_6.1.7601.21868_none_718a180540e03f38.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_786f85baf90347e3adeb4e60b81f1b24_31bf3856ad364e35_6.1.7600.21099_none_db57d3419ee42227.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_808c6b6ac03459d6f207974dbbdb5bbe_31bf3856ad364e35_6.1.7600.21099_none_3cf6a6b6134e8b4f.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_823ed21c3ba05e608625cc78359b9374_31bf3856ad364e35_6.1.7601.21868_none_c0b5cae1b7e68ef9.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_8925c6b7414ec40670e8c2d3fa920ab3_31bf3856ad364e35_6.1.7600.21099_none_f345d6df5e036c4b.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_8bd82f6698978f810ab1b8feab0f9e7c_31bf3856ad364e35_6.1.7601.21868_none_7a9a870f9748d813.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_8c2a2ed4e7421bc7a39dc74128bd85a5_31bf3856ad364e35_6.1.7601.21868_none_7247b4d0e97ba8f8.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_8f0050f0271a3f7a4d29ec72d7994117_31bf3856ad364e35_6.1.7600.21099_none_4e4629da852a78bf.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_931d5918b3eb5014dfeaf02196e9df1c_31bf3856ad364e35_6.1.7601.21868_none_4bc3f502396b41a9.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_976ba0abd9b66269b21410c20c397b30_31bf3856ad364e35_6.1.7601.21868_none_70ed005c2e09e533.manifest
File versionNot applicable
File size689
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_99cb55c1be336287881e5a501987129f_31bf3856ad364e35_6.1.7600.21099_none_21761f84055108e7.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_9d4064c153e7088791465f512b717474_31bf3856ad364e35_6.1.7601.21868_none_8532dee55fa34934.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_aa5470c4fb693f9bb3d917eb6391649a_31bf3856ad364e35_6.1.7601.21868_none_f08f3dcb5f4bf21b.manifest
File versionNot applicable
File size689
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_ab1b303def904a87e1a64a5cca843ca6_31bf3856ad364e35_6.1.7600.21099_none_b74085ed12597ed3.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_bb1ba5fe15006941de08319eaa9eb312_31bf3856ad364e35_6.1.7600.21099_none_23b0393d71fba963.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_d50343e704cd807bf70368ebbc2a3e88_31bf3856ad364e35_6.1.7601.21868_none_ed7603d1e3e41305.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_e253635bf5098985b446fea0daac1607_31bf3856ad364e35_6.1.7601.21868_none_659b3613ca7b1521.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_e7d9b5f0264fab87d6a171f7876df50f_31bf3856ad364e35_6.1.7601.21868_none_aa254a47d2e18556.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_eb1528e8fda02e1a2d8c0972ba439bc1_31bf3856ad364e35_6.1.7600.21099_none_c45504921db34a3c.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_eca6dc9588e9ebb30642428cb25c8110_31bf3856ad364e35_6.1.7601.21868_none_2a9dcc347901a61e.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_fe84fd54a6421d34a9dd7f78ba25df90_31bf3856ad364e35_6.1.7600.21099_none_f4a2b89d8d797030.manifest
File versionNot applicable
File size697
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_tsportalwebfeed_31bf3856ad364e35_6.1.7600.21099_none_93511e5820ee8941.manifest
File versionNot applicable
File size8,181
Date (UTC)29-Nov-2011
Time (UTC)11:00
File nameAmd64_tsportalwebfeed_31bf3856ad364e35_6.1.7601.21868_none_9557149c1dfd51e8.manifest
File versionNot applicable
File size8,181
Date (UTC)29-Nov-2011
Time (UTC)09:47
File nameAmd64_tsportalwebpart_31bf3856ad364e35_6.1.7600.21099_none_910d9374226e781c.manifest
File versionNot applicable
File size38,181
Date (UTC)29-Nov-2011
Time (UTC)18:22
File nameAmd64_tsportalwebpart_31bf3856ad364e35_6.1.7601.21868_none_931389b81f7d40c3.manifest
File versionNot applicable
File size38,181
Date (UTC)29-Nov-2011
Time (UTC)18:22

Properties

Article ID: 2648402 - Last Review: February 18, 2014 - Revision: 2.0
Applies to
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
Keywords: 
kbautohotfix kbqfe kbhotfixserver kbfix kbsurveynew kbexpertiseinter KB2648402

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com