We are using, NLA, yes.. I’ll have to look into this more.
On possible fairly easy thing would be to maybe just add additional logic / information into the error msg thrown by guac to give the admin addt’l clues as to what may be the issue. Thank you, Brad Turnbough Senior Technology Analyst [cid:Backlund-Investment-logo_20ce9d6e-04b9-4d73-9d17-cfc69decf4cc.gif] P: 309.272.2739 F: 309.272.2839 www.betterbanks.com<http://www.betterbanks.com/> www.statestreetbank.com<http://www.statestreetbank.com> NOTICE: The information contained in this email and any document attached hereto is intended only for the named recipient(s). If you are not the intended recipient, nor the employee or agent responsible for delivering this message in confidence to the intended recipient(s), you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this transmittal or its attachments is strictly prohibited. If you have received this transmittal and/or attachments in error, please notify me immediately by reply e-mail and then delete this message, including any attachments. From: Nick Couchman <[email protected]> Sent: Monday, January 27, 2025 11:46 AM To: [email protected] Subject: Re: RDP Connection using an account with a password set to 'user must change password at next login' On Mon, Jan 27, 2025 at 12:08 PM Brad Turnbough <[email protected]<mailto:[email protected]>> wrote: Guac gives us a message about the RDP connection being denied, but doesn’t provide the reason why. Upon further investigation, the AD account password was set to ‘change at next logon’. Once we disabled that, we were able to login without issue. Is this a known issue, a bug, or something that I need to report via the proper means/measures? My recollection of this issue is that it's a known issue with RDP + NLA, in general, and not something specific to Guacamole. I believe it has to do with the way that NLA works - the authentication happens as part of the connection step, prior to the ability to actually interact with the Windows interface. This means if something like a password expiration or forced password change is required for the account it will not be possible to log in with RDP. If your experience differs and you're able to successfully connect with something like Microsoft Remote Desktop client or xfreerdp with an account in the above state, feel free to reply and tell me I'm wrong :-). I'm going off past experience/memory, here. -Nick
