I understand that there is a "by design" problem with NLA that prevents users from being able to change an expired password via NLA. (Brief aside: NLA already distinguishes between a bad username/password and an expired password as a bad username/password will reprompt for credentials and an expired password gives the whole "must change password before logging in" error. I do not see why Microsoft cannot alter NLA to treat an expired password as a "successful" login and dump the user to the change password screen the same as they would when using RDP security layer. NLA has already done its job of "pre-authenticating" before establishing the session and so to create the RDP session and present the change password dialogue seems reasonable.)
Oh well, on to the real question. According to the relevant Microsoft KB articles, KB2648402 and KB2648397, this issue only applies when the "Allow connections only from computers running Remote Desktop with Network Level Authentication" option is enabled.
We currently have a couple of RDS farms (session broker w/ dns RR) configured to Negotiate client security. When encountering an expired password, we are experiencing inconsistent behavior in how the logon is handled. The user is initially provided with the NLA credentials dialogue and in some cases when the password is expired the user is prompted to change their password and in others the "you must change password prompt before logging in" message is displayed. In both cases, the initial connection appears to attempt NLA as we are presented with the NLA credentials dialogue, however it sometimes appears to fall back to the RDP security layer and prompt the user to change their password and others it does not. Falling back to the RDP security layer seems reasonable as we are not requiring NLA, however I cannot figure out what factors lead to each scenario.
When client security is set to Negotiate, should the RDP client fall back to the RDP security layer when an expired password is encountered? Also, in Server 2003, you could enable TLS security without NLA (of course 2003 did not support NLA); can you use TLS security on a Windows Server 2008 R2 RDS host without using NLA?
I understand that the two hotfixes above do not actually resolve the issue, just enable passwords to be changed via RDWeb and change the message on the client. Really I am just looking to understand why we are experiencing the inconsistent behavior and, if possible, make the necessary changes so that clients always fall back to RDP security layer when a password is expired.