(Windows) Logon Fails after Password Reset Expiration

When Windows password is expired or reset, users cannot authenticate using the HYPR Workforce Client.

When the password is reset, the NT LAN Manager (NLTM) will generate a new pinning hash which must be updated via the Active Directory (AD) settings.

Solution

Active Directory 2016+ enables rolling expiring NTLM secrets during sign on for users who are required to use Microsoft Passport or smart card for interactive sign on.

Read the following from Microsoft: Rolling public key only user's NTLM secrets.

NOTE: The Domain Function Level (DFL) must be set to 2016+. If you have an earlier Windows Server version on on or more Domain Controllers (DCs), you must upgrade the host(s) and ensure the DFL is set to 2016 or higher on all DCs in question.