Attempting to use an RDP Target Account through PAM results in an error appears stating "Your password has expired or you must change it before logging on for the first time. Contact your system administrator for assistance." The same password has been confirmed working outside of PAM by logging in using a different login method. In Windows Event Viewer Security logs on the RDP Target Device (or Active Directory Domain Controller) there is a 4625 Audit Failure event for the logon attempt with the Failure Information noted in the log snippet below.
Error from PAM RDP Client:
<Please see attached file for image>
This combination of symptoms is usually related to the permissions of the Target Account in Active Directory (AD). There is an option called "Log On To" when editing user properties in AD which controls where accounts are able to login. The way the Log On To option works can be confusing and is likely configured incorrectly.
Here is some info on how the behavior works in relation to PAM:
Remove or modify the "Log On To" options for the effected account.
This option can stop Target Accounts from being able to login since the login request is not seen as coming from a host on the allowed list. When reviewing the Event Viewer 4625 logs, there is a parameter called "Workstation Name". If continuing to use Log On To, this is the computer name that needs to exist in the Log On To list for the login that failed to become successful next time. This is usually the End User's (PAM User's) workstation, but may be a jump server or similar depending on the exact environment and usage. When connecting through PAM, the name of the computer PAM is running on is seen as the computer where the request originates from, so if adding to this list each PAM User who needs access would likely need their personal workstation(s) added.
Most admins attempting to configure this option with PAM are trying to restrict RDP access unless it is coming through PAM. Since this would require putting every end user's workstation in each Log On To list, this is not very feasible for most people. One option that can achieve this use case would be to use Firewalls to block the traffic coming over port 3389 unless it is coming from a PAM address.