Posted on May 20, 2015 · Posted in Windows Server 2012 R2

Allow users to reset expired password via RD WebAccess in Windows Server 2012

In this article we’ll show how enable the RD Web Access password reset option on Remote Desktop Services (RDS) server farm on Windows Server 2012 / 2012 R2.

By default, in Windows Server 2012 R2 and Windows 8.1 NLA (Network Level Authentication) is enabled. It doesn’t allow users to connect over RDP if their passwords have expired. When trying to connect to an RDS server with the user account, which password has expired, the following error message appears:

An authentication error has occurred.
The Local Security Authority cannot be contacted
Remote computer: lonSrvRDS1
This could be due to an expired password
Please update your password if it has expired.

The Local Security Authority cannot be contacted This could be due to an expired password


Thus, when using NLA, the problem of changing an expired password over RDP can become almost unsolvable for remote users having no other ways to log in to the corporate network. Certainly, you can ask your users to change their passwords directly in the RDP session, but it doesn’t always work due to a common forgetfullness of the users.

In Windows 2012 / 2012 R2 an option appeared that allows a remote user to change their password (current or an expired one) using a special web-page on the RD Web Access server. The password will be changed like this: a user signs in to the registration web page on the server with the RD Web Access role and changes his password using a special form.

Note. In previous Windows Server versions a remote password change in the domain was possible using a small web application IISADMPWD (though not officially supported).

A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but it is disabled by default. To change a password, a script password.aspx is used, which is located in C:\Windows\Web\RDWeb\Pages\en-US.

To enable the password change option, on the server with the configured RD Web Access role open the IIS Manager console, go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the section Application Settings.

IIS->Sites->DefaultWeSite-> RDWEB ->Pages

In the right pane, find PasswordChangeEnabled parameter and change its value to true.

Enable PasswordChangeEnabled  - RDWebAccess

You can test the password change mechanism going to the following web-page:

https://lonSrvRDS1/RDWeb/Pages/en-US/password.aspx RDWeb -  change password page

Now when trying to connect to the RD Web Access server with the expired password, a user will be redirected to password.aspx web-page and offered to change his password.

rdweb login web page - Your password is expired

Tip. The same Windows Server 2008 R2 feature can become available after you install a special patch — KB2648402.

You can add a link to the password change form directly to the registration web-form on the RDWeb server. This will allow a users to change their password any time without waiting till it expires.

Let’s add a link to password.aspx to the sign-in page.

  1. On the RDWeb server, find and open C:\Windows\Web\RDWeb\Pages\en-US\login.aspx in any text editor (I prefer Notepad++.)
  2. Go to line 583 and enter the following code in it: <a href="https://lonSrvRDS1/RDWeb/Pages/en-US/password.aspx"> Password Reset Utility</a>edit login.aspx
  3. Save the changes as login.aspx, restart the IIS web-site and make sure that a link to the password change page appeared on the sign-in page on the RD Web server.

Related Articles