Lately I’ve been doing some experiments with Active Directory and of course I’m running my lab environment in Azure. It works great, until after 42 days the password of the one and only user account (mine) in the domain expires. Azure only provides remote desktop access to virtual machines, and in a default setup it’s impossible to change the password over rdp once the password has expired.
In all modern incarnations of remote desktop, the user authentication is done during the connection phase. This is called NLA: Network Level Authentication. It means the user name and password is entered in the Rdp client, as part of the connection setup. Not like in the old days where the remote desktop would show up and present the same user name and password prompt as if one were actually sitting at the physical console. In the old days, the remote server could show a password expired message and force a password reset before the logon was accepted. With NLA, that just doesn’t work. So what we need to do is to disable NLA, without logging on to the remote machine.
To disable NLA, we need to do that on both the client and the server. On the client, it’s fairly straight forward, although it can’t be done in the UI.
- Open the remote desktop client, fill in the host name and save the connection settings.
- Open the rdp file in a text editor and add a line
enablecredsspsupport:i:0at the top
- Save the file and double click it to open the remote desktop client.
If you try to connect now, you’ll get an error message that the server requires NLA. So to continue, we need to disable that on the server.
Thanks Russel Smith for the details on how to use WMI to do this.
Disabling the NLA requirement on the server is normally just an unchecked checkbox in the system properties. But that won’t work when we’re already locked out of the machine. So we need to access the machine and somehow change the setting. It turns out that can be done with WMI. When I did this, I used another VM on the same virtual network. But I assume it would work straight from the Internet if the required ports are opened in the Network Security Group associated with the VM.
From the other VM, run the following commands in a powershell Window, with the IP number being the internal IP of the server you’re locked out of and DOMAIN\USERNAME being the domain/user info (set the computer name as domain if it is not a domain joined computer).
$wmi = (Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName 10.0.1.5 -Filter "TerminalName="RDP-tcp"" -Credential DOMAIN\USERNAME) $wmi $wmi.SetUserAuthenticationRequired(0)
The second line,
$wmi just prints out the current settings before altering them.
Now you can use the prepared rdp file and log on to the server. Note how there is no password prompt before the Rdp session is being launched, instead the log in prompt is displayed inside the Rdp session. From this place, the reset password prompt works.
Finally it’s time to re-enable security. On the client, just delete the created rdp file. On the server, you can do that by going back to the powershell window on the other VM: