AnsweredAssumed Answered

Change Password via RDP

Question asked by Fred Jobe on Dec 5, 2016
Latest reply on Dec 5, 2016 by Erica Chalfin

Like • Show 0 Likes0
Comment • 3

I'm using RSA Authentication Manager to provide two-factor authentication for Windows Remote Desktop Hosts. RDP to these hosts is the only interface the users have to this network/domain. When a users' Active Directory password is expired, there is no longer any dialog to change the password when establishing the RDP session after enabling the RSA agent.

Is there a way to get this functionality back, or another method I should investigate to allow users to change their passwords when expired?

Thanks

No one else has this question

Outcomes

Jeff Shurtliff

Dec 5, 2016 1:42 PM

Hi Fred,

I have moved this thread to the RSA SecurID Access community so that you can get an answer to your question.

Thanks,

Jeff

Actions

Edward Davis

Dec 5, 2016 3:37 PM

Well, might need more specifics about the setup to know for sure, but just tossing out a guess here....

if this is windows 10, it may be a known issue.

defect AAWIN-2315 has been opened to track the issue.

The Windows 10 update from 9 August 2016 contains updates to Windows authentication methods. Listed in the Known Issues section of MS16-101, is the following note:

This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.

From the RSA Authentication Agent logs, it seems that the application being used to collect credentials for RDP on Windows 10 is now C:\Windows\System32\CredentialUIBroker.exe, rather than C:\Windows\System32\mstsc.exe. That change breaks the logic used by the RSA agent to identify the RDP use case (in which the RSA agent defers authentication to the Microsoft password provider)

1 person found this helpful

Actions

3 Replies

Jeff Shurtliff Dec 5, 2016 1:42 PM
Mark Correct
Correct Answer
Hi Fred,

I have moved this thread to the RSA SecurID Access community so that you can get an answer to your question.

Thanks,
Jeff
Like • Show 0 Likes0
Actions
Edward Davis Dec 5, 2016 3:37 PM
Mark Correct
Correct Answer
Well, might need more specifics about the setup to know for sure, but just tossing out a guess here....
if this is windows 10, it may be a known issue.

defect AAWIN-2315 has been opened to track the issue.

The Windows 10 update from 9 August 2016 contains updates to Windows authentication methods. Listed in the Known Issues section of MS16-101, is the following note:

This security update disables the ability of the Negotiate process to fall back to NTLM when Kerberos authentication fails for password change operations.

From the RSA Authentication Agent logs, it seems that the application being used to collect credentials for RDP on Windows 10 is now C:\Windows\System32\CredentialUIBroker.exe, rather than C:\Windows\System32\mstsc.exe. That change breaks the logic used by the RSA agent to identify the RDP use case (in which the RSA agent defers authentication to the Microsoft password provider)
1 person found this helpful
Like • Show 1 Like1
Actions
Erica Chalfin Dec 5, 2016 3:54 PM
Mark Correct
Correct Answer
Fred Jobe,

To add to the reply Edward Davis provided, please take a look at our article on 000033802 - Microsoft Windows update MS16-101 breaks RDP from the RSA Authentication Agent 7.3.1 for Windows for all RSA challenged users

Regards,
Erica
Like • Show 0 Likes0
Actions

Change Password via RDP

Outcomes

Related Content

Recommended Content