In this article we’ll show how enable the RD Web Access password reset option on Remote Desktop Services (RDS) server farm on Windows Server 2012 / 2012 R2.
By default, in Windows Server 2012 R2 and Windows 8.1 NLA (Network Level Authentication) is enabled. It doesn’t allow users to connect over RDP if their passwords have expired. When trying to connect to an RDS server with the user account, which password has expired, the following error message appears:
The Local Security Authority cannot be contacted
Remote computer: lonSrvRDS1
This could be due to an expired password
Please update your password if it has expired.
Thus, when using NLA, the problem of changing an expired password over RDP can become almost unsolvable for remote users having no other ways to log in to the corporate network. Certainly, you can ask your users to change their passwords directly in the RDP session, but it doesn’t always work due to a common forgetfullness of the users.
In Windows 2012 / 2012 R2 an option appeared that allows a remote user to change their password (current or an expired one) using a special web-page on the RD Web Access server. The password will be changed like this: a user signs in to the registration web page on the server with the RD Web Access role and changes his password using a special form.
A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but it is disabled by default. To change a password, a script password.aspx is used, which is located in C:\Windows\Web\RDWeb\Pages\en-US.
To enable the password change option, on the server with the configured RD Web Access role open the IIS Manager console, go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the section Application Settings.
In the right pane, find PasswordChangeEnabled parameter and change its value to true.
You can test the password change mechanism going to the following web-page:
Now when trying to connect to the RD Web Access server with the expired password, a user will be redirected to password.aspx web-page and offered to change his password.
You can add a link to the password change form directly to the registration web-form on the RDWeb server. This will allow a users to change their password any time without waiting till it expires.
Let’s add a link to password.aspx to the sign-in page.
- On the RDWeb server, find and open C:\Windows\Web\RDWeb\Pages\en-US\login.aspx in any text editor (I prefer Notepad++.)
- Go to line 583 and enter the following code in it:
<a href="https://lonSrvRDS1/RDWeb/Pages/en-US/password.aspx"> Password Reset Utility</a>
- Save the changes as login.aspx, restart the IIS web-site and make sure that a link to the password change page appeared on the sign-in page on the RD Web server.