Today’s story is about the side effects of turning Network Level Authentication on. I’d like to focus on a specific case namely the effects on end-users. There are two things being widely used in password policies. One is that the user needs to change his/her password after the first login if it was reset by IT. The other one is expiration. This latter one is being challenged nowadays, but let’s assume you still have password expiration.
What happens if you try to log in with an initial or expired password via RDP? You receive a warning message saying right after login you need to change the password and it takes you to a password change screen.
What happens if you try to do the same thing, but NLA is turned on? You got an error like this:
This particular error is not referring to an expired password, but for the fact that the “User must change password at first logon” . But trust me, you have a very similar one with expired accounts :).
Just to be clear, it’s not a bug or a configuration mistake of any kind. If you turn on NLA, this is what it is.