This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
FredJobe
Beginner
Beginner
‎2016-12-05 01:39 PM

Change Password via RDP

I'm using RSA Authentication Manager to provide two-factor authentication for Windows Remote Desktop Hosts.  RDP to these hosts is the only interface the users have to this network/domain.  When a users' Active Directory password is expired, there is no longer any dialog to change the password when establishing the RDP session after enabling the RSA agent.

 

Is there a way to get this functionality back, or another method I should investigate to allow users to change their passwords when expired?

 

Thanks

Labels (1)
Labels
0 Likes
Reply
3 Replies
jeffshurtliff
Administrator Administrator
Administrator
‎2016-12-05 01:42 PM

Hi Fred,

 

I have moved this thread to the https://community.rsa.com/community/products/securid?sr=search&searchId=5b297563-9b0e-4e59-83e6-3f7561f99da9&searchIndex=0‌ community so that you can get an answer to your question.

 

Thanks,

Jeff

0 Likes
Reply
EdwardDavis
Employee
Employee
‎2016-12-05 03:37 PM

Well, might need more specifics about the setup to know for sure, but just tossing out a guess here....

if this is windows 10, it may be a known issue. 

 

defect AAWIN-2315 has been opened to track the issue.

 

The Windows 10 update from 9 August 2016 contains updates to Windows authentication methods.  Listed in the Known Issues section of MS16-101, is the following note: 


This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.


From the RSA Authentication Agent logs, it seems that the application being used to collect credentials for RDP on Windows 10 is now C:\Windows\System32\CredentialUIBroker.exe, rather than C:\Windows\System32\mstsc.exe. That change breaks the logic used by the RSA agent to identify the RDP use case (in which the RSA agent defers authentication to the Microsoft password provider)

Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2016-12-05 03:54 PM

Fred Jobe‌,

 

To add to the reply Edward Davis‌ provided, please take a look at our article on https://community.rsa.com/docs/DOC-58298 

 

Regards,

Erica

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.