Change Password via RDP
I'm using RSA Authentication Manager to provide two-factor authentication for Windows Remote Desktop Hosts. RDP to these hosts is the only interface the users have to this network/domain. When a users' Active Directory password is expired, there is no longer any dialog to change the password when establishing the RDP session after enabling the RSA agent.
Is there a way to get this functionality back, or another method I should investigate to allow users to change their passwords when expired?
- Auth Agent
- Auth Manager
- Authentication Agent
- Authentication Manager
- Community Thread
- Forum Thread
- remote desktop
- RSA SecurID
- RSA SecurID Access
I have moved this thread to the https://community.rsa.com/community/products/securid?sr=search&searchId=5b297563-9b0e-4e59-83e6-3f7561f99da9&searchIndex=0 community so that you can get an answer to your question.
Well, might need more specifics about the setup to know for sure, but just tossing out a guess here....
if this is windows 10, it may be a known issue.
defect AAWIN-2315 has been opened to track the issue.
The Windows 10 update from 9 August 2016 contains updates to Windows authentication methods. Listed in the Known Issues section of MS16-101, is the following note:
This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.
From the RSA Authentication Agent logs, it seems that the application being used to collect credentials for RDP on Windows 10 is now C:\Windows\System32\CredentialUIBroker.exe, rather than C:\Windows\System32\mstsc.exe. That change breaks the logic used by the RSA agent to identify the RDP use case (in which the RSA agent defers authentication to the Microsoft password provider)