So the crux of the issue is this:  NLA does not allow users with expired passwords or whose account has been configured to require a password change on next logon to log into a Remote Desktop Server.

Requirement:  Enable SSL/TLS for RDP connections to provide RDS host identity validation and use "current" encryption standards

Background:  We have a fairly large number of remote users in a BYOD situation where the user does not EVER have direct access to the corporate network from a corporate device on the network.  When setting up a new user we require that they change their password upon initial login.  When using the RDP security layer, this is fairly straight forward as they can provide their credentials and are immediately prompted to change their password.  However, if SSL/TLS or negotiate is selected, the connection fails indicating the password is expired without any prompt to change it.  

Documentation on this is a bit unclear, however it all seems to indicate that this should ONLY be an issue if NLA is REQUIRED. However, in my experience NLA is used if it is supported and there is no mechanism in place for the connection to "fall back" to the RDP security layer and the connection just fails.  One oddity to note is that Windows Server 2003 allows either the RDP Security layer or SSL/TLS to be used but does not support NLA. To me this would seem to indicate NLA is separate from SSL/TLS and that there should be the ability to utilize SSL/TLS WITHOUT NLA.  I am aware that there are "patches" available for this issue but I am also aware that they 1) only change the error message displayed on the client side and 2) only enable the password change functionality via RDweb.  We are not interested in using RDweb and are looking for a solution to the problem above.  

In summary, looking for a way to enable SSL/TLS but to disable NLA.  Alternatively, if there is a solution to allow the connection to fallback to the RDP Security layer if NLA fails, I would happily accept that as well.  Thank you all in advance for any assistance you can provide.

Hi Dan,

Here is a related thread which I encountered recently, which might be helpful to you:

Error while logon on RDSH server in RDS2012 with user's expired password
https://social.technet.microsoft.com/Forums/windowsserver/en-US/dc0e7083-e633-4b04-9362-4679c241c39f/error-while-logon-on-rdsh-server-in-rds2012-with-users-expired-password?forum=winserverTS

Best Regards,
Amy

Amy, thank you for the suggestion, however I reviewed the thread and did not see a solution to the question I posed:  "looking for a way to enable SSL/TLS but to disable NLA.  Alternatively, if there is a solution to allow the connection to fallback to the RDP Security layer if NLA fails, I would happily accept that as well"

The odd thing is that, based on the way that the documentation reads, using the Negotiate setting without requiring NLA ("Allow connections only from computers running Remote Desktop with Network Level Authentication" unchecked) should not produce the error that the user must change their password before logging in.  However based on the numerous forum threads related to this issue, most of which identify switching from Negotiate to RDP Security Layer as the solution,  this does not seem to be the case in practice.  It would seem like there is some negotiation fallback mechanism that does not work for some reason.

At this point I am still looking to at least find a solution to enable  SSL/TLS without enabling NLA.

--Dan