WFA Client Login Fails after Windows Password Reset/Expiration


Product: Workforce Access Client
Applicable Version(s): All

When Windows password is expired or reset, users cannot authenticate using the HYPR Workforce Client.

When the password is reset, the NT Lan Manager (NLTM) will generate a new pinning hash which must be updated via the Active Directory (AD) settings.


Active Directory 2016+ enables rolling expiring NTLM secrets during sign on for users who are required to use Microsoft Passport or smart card for interactive sign on.

Read the following from Microsoft: Rolling public key only user's NTLM secrets.

NOTE: The Domain Function Level (DFL) must be set to 2016+. If you have an earlier Windows Server version on on or more Domain Controllers (DCs), you must upgrade the host(s) and ensure the DFL is set to 2016 or higher on all DCs in question.
Version Date Comment
Current Version (v. 5) June 17, 2022 14:43 A. Khedron de León
v. 4 Mar 22, 2022 23:03 John Certo
v. 3 Mar 03, 2022 15:02 Steve Hayman
v. 2 Feb 24, 2022 21:19 Edward Poon
v. 1 Oct 30, 2021 16:26 Edward Poon
Was this article helpful?
2 out of 2 found this helpful