Over a million developers have joined DZone.

Regaining Access to Azure VMs With Expired Passwords

DZone's Guide to

Regaining Access to Azure VMs With Expired Passwords

42 isn't just the Ultimate Answer, it's the number of days until your Azure VM passwords expire. Here's how to get back into your machines.

· Cloud Zone ·
Free Resource

Learn how to migrate and modernize stateless applications and run them in a Kubernetes cluster.

Lately I’ve been doing some experiments with Active Directory and, of course, I’m running my lab environment in Azure. It works great, until after 42 days. That's when the password of the one and only user account (mine) in the domain expires. Azure only provides remote desktop access to virtual machines, and in a default setup, it’s impossible to change the password over Rdp once the password has expired.

In all modern incarnations of remote desktop, the user authentication is done during the connection phase. This is called NLA: Network Level Authentication. It means the username and password are entered in the Rdp client, as part of the connection setup. Not like in the old days, where the remote desktop would show up and present the same username and password prompt as if one were actually sitting at the physical console. In the old days, the remote server could show a password expired message and force a password reset before the login was accepted. With NLA, that just doesn’t work. So what we need to do is to disable NLA without logging onto the remote machine.

Disable Client NLA

To disable NLA, we need to do that on both the client and the server. On the client, it’s fairly straightforward, although it can’t be done in the UI.

  1. Open the remote desktop client, fill in the hostname, and save the connection settings.
  2. Open the Rdp file in a text editor and add the line enablecredsspsupport:i:0 at the top
  3. Save the file and double-click it to open the remote desktop client.

If you try to connect now, you’ll get an error message that the server requires NLA. So to continue, we need to disable that on the server.

Disable Server NLA

Thanks Russel Smith for the details on how to use WMI to do this.

Disabling the NLA requirement on the server is normally just an unchecked checkbox in the system properties. But that won’t work when we’re already locked out of the machine. So we need to access the machine and somehow change the setting. It turns out that can be done with WMI. When I did this, I used another VM on the same virtual network. But I assume it would work straight from the Internet if the required ports are opened in the Network Security Group associated with the VM.

From the other VM, run the following commands in a PowerShell Window, with the IP number being the internal IP of the server you’re locked out of and DOMAIN\USERNAME being the domain/user info (set the computer name as domain if it is not a domain-joined computer).

$wmi = (Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName -Filter "TerminalName='RDP-tcp'" -Credential DOMAIN\USERNAME)

The second line, $wmi just prints out the current settings before altering them.

Log On and Change Password

Now you can use the prepared Rdp file and log on to the server. Note how there is no password prompt before the Rdp session is being launched. Instead, the login prompt is displayed inside the Rdp session. From this place, the reset password prompt works.

Clean Up

Finally, it’s time to re-enable security. On the client, just delete the created rdp file. On the server, you can do that by going back to the PowerShell window on the other VM:


Join us in exploring application and infrastructure changes required for running scalable, observable, and portable apps on Kubernetes.

cloud ,azure vm ,password expiration ,network level authentication ,tutorial

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}