This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 16%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
We host cloud environments for our customers that they access via RDP (using RD Gateway with SSL - not Terminal Services). The environment in question is running at Server 2012 R2 functional level.There are technically 2 domain controllers running (one is 2012 R2, the other 2016).
The 2016 Domain Controller exists to support Azure AD Connect (and synchronization has been working perfectly - password sync is one-way, Active Directory to Office 365) and is effectively a clone of the original 2012 R2 domain controller except it is running a newer OS version (I.E. DNS, DHCP, Group Policy, etc. have all replicated properly and are up to date on both devices).
I have also confirmed that the clock time on each device is correct and there is not a massive difference between one of the DCs and the device I'm using to test.
In order to facilitate my testing - password age has temporarily been set to 0 days
Here are the issues I'm encountering (and not entirely sure how to resolve it):
Not 100% this is applicable to RDS gateway but in RDP its a security question, you can disable CredSSP on the server side, but since that lowers the security on all RDP connections to that server it is not recommended. To do it you de-select the βAllow connections only from computers running Remote Desktop with Network Level Authentication (recommended)β on the servers system properties. The client also have a setting for it but i think you have to disable it by editing an .rdp file (save as on the rdp profile) then edit the value related to CredSSP π however this is not recommended. But hope the information helps, if you want a more step-by-step guide try searching for "disable CredSSP for RDP" or "disable Network level authentication for RDP"
I'll definitely give it a try with my test user to see if it allows me to bypass the hangups. I'm still working on learning the CyberSecurity side of things, but I'd venture a guess that this kind of setting would not meet CIS IG1 compliance. I feel like I'm thinking to hard about this problem. Allowing password expiration and end user password resets is a normal thing. Why does adding RDP to the mix turn it into such a nightmare? I really appreciate your response and will give it a try. If it works, we'll have some serious considerations to make. However, if it gets us past the initial hump, it buys us a little time to figure out the rest of our plan on allowing this process to proceed organically without hindering the user or completely locking them out of RDP access.
I don't know much about your organization or users, but I still recommend to have it turned on! Maybe you can figure out another way for these users to do their first logon? Short info, CredSSP helps applications to delegate a users credentials from client to servers. One thing it protects against is "man in the middle" attacks (to help assure that they are not delegated to an unauthorized server).
Here below is a good article to understand a little more about CredSSP and how it works with RDP :)
https://www.linkedin.com/pulse/understanding-credssp-sushant-mishra/
So - I've tried a mix of everything and still can't seem to get anywhere positive.
If it was only the initial login, it wouldn't mind as much.
As far as I can tell, the user is unable to reset the password whatsoever.
Errors occur in the same fashion whether Network Level Authentication is enabled or disabled. Same goes for trying to disable CredSSP on the device the users connect from, to, and on the DC.
Have tried this on multiple different environments, including a 100% new setup.
I still feel like I have to be missing something here. Password expiration and resets should be a normal thing that doesn't require months of troubleshooting and guessing.
I have also tried opening a ticket with Microsoft - they gave up and just stopped responding.