Wednesday, January 11, 2012

You cannot change an expired user account password in a remote desktop session that connects to a Windows Server 2008 R2-based RD Session Host server in a VDI environment

Two new hotfixes (one client, one server) were released today regarding the ability to change a expired password in a VDI environment based on Windows Server 2008 R2.


Client hotfix:
Article ID: 2648397 - Last Review: January 11, 2012 - Revision: 1.0
You cannot change an expired user account password in a Remote Desktop session from a client computer that is running Windows 7 or Windows Server 2008 R2

Consider the following scenario:
  • A Remote Desktop Session Host (RD Session Host) server that is running Windows Server 2008 R2 is deployed in a Virtual Desktop Infrastructure (VDI) environment.
  • The Allow connections only from computers running Remote Desktop with Network Level Authentication option is enabled on the RD Session Host server.
  • You establish a Remote Desktop session to the server from a client computer that is running Windows 7 or Windows Server 2008 R2 by using a user account that is granted Remote Desktop access.

    Note The client computer could be a computer inside the VDI environment, or a stand-alone computer outside the VDI environment.
  • The password of the user account is expired.
  • You receive the following message:
    You must change your password before logging on the first time. For assistance, contact your system administrator or technical support.
In this scenario, a dialog box that prompts you to change the password is not displayed. Therefore, you cannot change the password of the user account.

Note This issue also occurs in RDP environments that have Network Level Authentication (NLA) and Credential Security Support Provider (CredSSP) enabled.

After you install this hotfix, you will receive an error message that states your password is expired. However, the hotfix does not provide a dialog box that prompts you to change your password.

Source and hotfix: http://support.microsoft.com/kb/2648397/en-us?sd=rss&spid=14134

Server hotfix:
Article ID: 2648402 - Last Review: January 11, 2012 - Revision: 1.0
You cannot change an expired user account password in a remote desktop session that connects to a Windows Server 2008 R2-based RD Session Host server in a VDI environment

Consider the following scenario:
  • You have a Remote Desktop Session Host (RD Session Host) server that is running Windows Server 2008 R2 in a Virtual Desktop Infrastructure (VDI) environment.
  • You enable the Allow connections only from computers running Remote Desktop with Network Level Authentication option in the RDP-Tcp Properties dialog box by using the Remote Desktop Session Host Configuration tool (Tsconfig.msc).
  • You establish a remote desktop session to the server from a client computer by using a user account that is granted Remote Desktop access.
  • The password of the user account is expired.
  • You receive the following message:
    You must change your password before logging on the first time. For assistance, contact your system administrator or technical support.
In this scenario, a prompt to change the password is not displayed. Therefore, you cannot change the password of the user account.

Note This issue also occurs in any RDP environment where Network Level Authentication (NLA) and the Credential Security Support Provider (CredSSP) are enabled.


Source and hotfix: http://support.microsoft.com/kb/2648402/en-us?sd=rss&spid=14134

No comments:

Post a Comment

Post a Comment