Attempting to use an RDP Target Account through PAM results in an error appears stating "Your password has expired or you must change it before logging on for the first time. Contact your system administrator for assistance." The same password has been confirmed working outside of PAM by logging in using a different login method. In Windows Event Viewer Security logs on the RDP Target Device (or Active Directory Domain Controller) there is a 4625 Audit Failure event for the logon attempt with the Failure Information noted in the log snippet below.
Error from PAM RDP Client:
Event Viewer log snippet: Failure Information: Failure Reason: User not allowed to logon at this computer. Status: 0xC000006E Sub Status: 0xC0000070
PAM 3.x client
This combination of symptoms is usually related to the permissions of the Target Account in Active Directory (AD). There is an option called "Log On To" when editing user properties in AD which controls where accounts are able to login. The way the Log On To option works can be confusing and is likely configured incorrectly.
Here is some info on how the behavior works in relation to PAM:
When the Target Device's address is configured in Log On To, the account will only be able to login locally (via console or direct keyboard/monitor access). This does not enable login via RDP and both PAM & standard RDP will fail unless additional allowed workstations are added.
When PAM's address is configured in Log On To, RDP to the Target Device will still be denied. This may seem counter-intuitive since when using PAM the RDP traffic is "routed through PAM". While PAM does route the traffic, it does not modify the login requests, they continue to be listed as coming from the End User's workstation.
When the End User's (PAM User's) Workstation is configured in Log On To, the account will be able to Log On To any Target device via RDP. That said, it would not permitted to login at the console of the Target Devices, only their personal workstation.
Remove or modify the "Log On To" options for the effected account.
This option can stop Target Accounts from being able to login since the login request is not seen as coming from a host on the allowed list. When reviewing the Event Viewer 4625 logs, there is a parameter called "Workstation Name". If continuing to use Log On To, this is the computer name that needs to exist in the Log On To list for the login that failed to become successful next time. This is usually the End User's (PAM User's) workstation, but may be a jump server or similar depending on the exact environment and usage. When connecting through PAM, the name of the computer PAM is running on is seen as the computer where the request originates from, so if adding to this list each PAM User who needs access would likely need their personal workstation(s) added.
Most admins attempting to configure this option with PAM are trying to restrict RDP access unless it is coming through PAM. Since this would require putting every end user's workstation in each Log On To list, this is not very feasible for most people. One option that can achieve this use case would be to use Firewalls to block the traffic coming over port 3389 unless it is coming from a PAM address.