Consider the following scenario:
- You have a Remote Desktop Session Host (RD Session Host) server that is running Windows Server 2008 R2 in a Virtual Desktop Infrastructure (VDI) environment. Or, you have remote apps that are published through RDWeb.
- You enable the Allow connections only from computers running Remote Desktop with Network Level Authentication option in the RDP-Tcp Properties dialog box by using the Remote Desktop Session Host Configuration tool (Tsconfig.msc).
- You establish a remote desktop session to the server from a client computer by using a user account that was granted Remote Desktop access.
- The password of the user account is expired.
- You receive the following error message:
You must change your password before logging on the first time. For assistance, contact your system administrator or technical support.
In this scenario, a prompt to change the password is not displayed. Therefore, you cannot change the password of the user account.Note
This issue also occurs in any RDP environment in which Network Level Authentication (NLA) and the Credential Security Support Provider (CredSSP) are enabled.
This issue occurs only when the client is not in the domain. If the client is in the domain, the client will be able to change the password.
The client will receive the error only when the client is not in domain. The client may also receive the following error message when the client logs in from the RDWeb role:
The user name or password that you entered is not valid. Try typing it again.
This error will change when you are connecting to VDIs or RDSHs directly from a non-domain-joined computer if the hotfix that is described in the following Microsoft Knowledge Base article is installed on the Windows 7 client:
You cannot change an expired user account password in a Remote Desktop session from a client computer that is running Windows 7 or Windows Server 2008 R2
However, users will not be able to make any password change from Mstsc.exe itself.
To resolve this issue, you must install this hotfix on the server that is hosting the RDWeb role. This hotfix does not provide a method for changing a password directly through Mstsc.exe for non-domain-joined clients. However, after you install this hotfix, users who try to log on to RDWeb (that is , on to the web portal itself) by using an account that has an expired password will be redirected to the password change page. After they update their password, users will return to a functional state. They can log on to RDWeb and start RemoteApp sessions. They can also use .rdp files or Mstsc.exe.
For more information, go to the following website:
In the protocol specification for CredSSP, there is no reference to the ability to change the user's password while NLA is running. Therefore, the observed behavior can be considered "by design."
CredSSP is the underlying technology that enables NLA, and it does not support password changes. Therefore, password changes are not enabled in MSTSC. Other RD clients that support NLA should be unable to change the user’s password.
Unless you apply this hotfix on an RDWeb server and not on an RDSH server, you do not have to have the client hotfix that resolves the password change issue. That is, you do not have to have KB 2648397 installed on the Windows 7 client. After you have the server-side hotfix installed on RDWeb, it will also work for other versions of Windows such as Windows XP.
However, you must do more than install the hotfix on RD Web. After you install the hotfix, you have to set a flag to TRUE in the Web.config file. By default, the feature that this flag represents is turned off. To turn on the feature, follow these steps:
- 1. Open the following file:
- Set the following value to TRUE:
<!-- PasswordChangeEnabled: Provides password change page for users. Value must be "true" or "false" -->
<add key="PasswordChangeEnabled" value="false" />
Sometimes, this line of code may be missing even after you install the hotfix. This behavior may occur because the Web.config file, together with most user-configurable files and registry settings, is marked as "mutable" in our servicing infrastructure. When the value is set to TRUE, Setup will not overwrite a file by using a later version if the user changed the original file. This behavior makes sure that a user's files, settings, and custom code are not overwrittenwhen an update is installed. If the Web.config file was changed or customized, the system will not overwrite the file.
If this line of code is missing, you should manually add it to the relevant Web.config file. This will enable the new functionality.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
To apply this hotfix, you must be running Windows Server 2008 R2 or Windows Server 2008 R2 Service Pack 1 (SP1). Additionally, you must have the Remote Desktop Services server role installed and both the Remote Desktop Session Host and Remote Desktop Web Access role services enabled.
For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2
To apply the hotfix in this package, you do not have to make any changes to the registry.
You do not have to restart the computer after you apply this hotfix. To avoid restarting, stop the Remote Desktop Session Host role service.
Hotfix replacement information
This hotfix does not replace a previously released hotfix.
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 R2 file information notes
- The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
| 6.1.760 0.21xxx||Windows Server 2008 R2||RTM||LDR|
| 6.1.760 1.21xxx||Windows Server 2008 R2||SP1||LDR|
- The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
|File name||File version||File size||Date||Time||Platform|
|Config.aspx||Not applicable||69,896||29-Nov-2011||10:42||Not applicable|
|Default.aspx||Not applicable||45,954||29-Nov-2011||11:00||Not applicable|
|Login.aspx||Not applicable||59,722||29-Nov-2011||10:51||Not applicable|
|Password.aspx||Not applicable||44,346||29-Nov-2011||10:42||Not applicable|
|Web.config||Not applicable||4,776||28-Nov-2011||23:35||Not applicable|
|Web.config||Not applicable||4,953||28-Nov-2011||23:33||Not applicable|
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.