HOWTO: WFA Client (Windows) Resolve when the Password has been reset/expired


 WFA Client (Windows) Resolve when the Password has been reset/expired


How to have WFA Client continue working after password has been reset/expired

Prerequisites (if applicable):

 Active Directory has to be 2016 and newer


 Edward Poon (Unlicensed)


 October 30, 2021






Applicable Version(s):


  1.  Usability Issue when Password is Expired/Reset: Users cannot login/authenticate

    1. Problem: When they reset the password, then NTLM will generate a hash, maybe they don't know of a way to auto reset the hash.

    2. Solution: there is a setting in 2016 Active Directory and newer where we can enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on. See Microsoft Article: and scroll to section called ”Rolling public key only user's NTLM secrets” (Anchor link here: )

Note: The DFL (Domain Function Level) MUST be set to 2016 or higher. If you have a DC on an older version of Windows Server, forcing your DFL to a lower setting than 2016+ you will need to upgrade the host(s) and then ensure your DFL is set to 2016 or greater.

Outcome: They should be able to login

Further Reading:

Version Date Comment
Current Version (v. 4) Mar 22, 2022 23:03 John Certo
v. 3 Mar 03, 2022 15:02 Steve Hayman
v. 2 Feb 24, 2022 21:19 Edward Poon (Unlicensed)
v. 1 Oct 30, 2021 16:26 Edward Poon (Unlicensed)

Was this article helpful?
0 out of 0 found this helpful