How to handle expired passwords with Workspace ONE Access

If you have a virtual desktop environment running on VMware Horizon and using Workspace ONE Access (previously known as VMware Identity Manager) it might be tricky for the end users to get in, when their passwords are expired and they don’t have access to any other machine in the domain to fix that.

Luckily there is a pretty neat solution for that.

Horizon Client

With the plain old Horizon the situation is not that bad. Horizon client will recognize expired password:

And prompt the user to change it through the client.

However Horizon can be (and should be) fronted with Workspace ONE Access. In that case this method will not work and we need some other solution, because Workspace ONE Access will just inform you that the password is expired and that’s it unfortunately. 🙁

Microsoft for the rescue

So if you don’t have any self-service password management tool, you can use this little trick. You can set up RD Web Access, its primary function is to publish RDP connection for the end user, but you can also enable a password reset function.

This setup will work completely independent from the rest of Microsoft RDS services.

Just one quick upfront disclaimer, client (the end user) must be able to reach the server, where we will install RD Web Access directly via HTTPS. So please make sure the Windows box is patched and you know what you are doing when opening to your networks.

How to do it?

First, we will need to add “Remote Desktop Services” role.

Make sure you are installing the “Remote Desktop Web Access”, nothing else is needed.

After the installation we will need to do a little tweak in order to make the password reset function to work. Open the IIS manager, navigate to Sites > Default Web Site > RDWeb > Pages. On this page double click on “Application Settings”.

Change the value of PasswordChangeEnabled to true. That’s it, no restart is needed.

To verify the function, open your browser and point it to https://password.minarik.local/RDWeb/Pages/en-US/password.aspx if you see screen like this, you are golden.

Next step is to actually use this service in Workspace ONE Access. You can configure the “Forgot Password?” link behavior. Go to Identity & Access Management > Password Recovery Assistant. Change the “Forgot Password” to custom URL and paste there your RD Web URL.

Now if a user clicks on the “Forgot password?” link, he will be able to reset the expired password.

Also you can use the RD Web URL on your thin/zero clients and set it as a link, which will be open with the embedded browser. 😉