Why can't I log on in RDP mode, using a password that I know is correct?

This is something of a design flaw in the RDP protocol.  NLA authentication - which was not the way RDP authentication was originally conceived (it's a security retrofit) - requires that the thin client provide the RDP username and password up front, and can only return a "correct" or "incorrect" response.  There is no provision within the RDP protocol to detect "your password is about to expire" or "your password has expired" cases, and the only means that the client has to detect and correct this is out-of-band interrogation and update of Active Directory, i.e. the client device must be an AD domain member.  TLXOS devices are not domain members, and consequently don't know anything about your user account's LDAP attributes.

 

Aside from joining the domain and using a full Kerberos authentication stack (which we do not recommend, as we feel that thin clients should remain relatively stateless, and requiring a client-side logon creates a great many difficulties), there are only two ways to avoid this problem.  One is to turn off NLA authentication on your servers (perform and Internet search fro more information on how to do this), and use legacy authentication (set the Security option to RDP in TMS Mode window / Tlxconfig's Application tab) instead, which leaves your servers vulnerable to denial of service attacks.  The other is to set up some sort of web-based password change service that you can use to get out of this situation.