Outlook wants credentials after we select "User must change password at next logon" RRS feed

  • Question

  • Hello,

    is standart behivour, that Outlook wants credentials after We selected User must change password at next logon in Active Directory? We have https://docs.microsoft.com/en-us/exchange/architecture/client-access/kerberos-auth-for-load-balanced-client-access?view=exchserver-2019.


    Wednesday, September 2, 2020 7:31 AM

All replies

  • I'm going to posit that you can't do this. With NLA (network-level authentication) enforced, a user cannot log in remotely and change his or her password.

    You can use tsconfig.msc on the Remote Desktop server, right-click the RDP-Tcp connection and choose Properties, and change the security layer drop-down menu to 'RDP Security Layer,' but then you lose NLA. Unfortunately the two settings are mutually exclusive.

    If you must have NLA, then you need to establish an alternate method for users to change expired passwords, such as through Outlook Anywhere, or RDWeb Access, or a physical console of a domain-joined workstation, etc.

    This is sort of a catch-22 situation, because by design, NLA will not even allocate the system resources necessary to create a Remote Desktop session for you until after your credentials have been verified to be valid. But you would have to connect to a full session, have a desktop created, LogonUI.exe spawned for you, etc., in order to change your password. But you can't have a session because your password is expired. Allowing this would, I believe, open a hole in NLA where a user could bypass NLA and get a session anyway, even though they don't have a good (i.e. not expired) password.
    Wednesday, September 2, 2020 1:08 PM
  • The problem is I select User must change pswd in Active Directory and this user gets insta Credentials popup in Outlook.

    Thursday, September 3, 2020 7:04 AM