Windows 7 logon with cached credentials
Devilsbane
Member Posts: 4,214 ■■■■■■■■□□
Sitting in a Windows training class and the instructor claims that you ALWAYS log onto windows 7 using cached credentials. I have been catching errors left and right from him, and this seems like another one. He says that he can't explain it, but it is the way it is. You log on cached and then contact a DC later.
Can anyone confirm or deny this? RK, I'm looking at you.
Can anyone confirm or deny this? RK, I'm looking at you.
Decide what to be and go be it.
Comments
-
Repo Man Member Posts: 300You can set GPO's to not cache logins so I don't see how that would be right. Admittedly, I've never been in a place that has enforced it.
-
NOLAJ Member Posts: 490If the computer is joined to a domain, and you try to log on with domain credentials, and a DC is not available(i.e., off the network or on the network without an internet connection) you couldn't log on without cached credentials. Of course, local accounts on the computer would be the exception.WGU - MBA: I.T. Management --> Graduated!!
WGU - B.S. Information Technology—Network Administration --> Graduated!!
:thumbup: -
Devilsbane Member Posts: 4,214 ■■■■■■■■□□If the computer is joined to a domain, and you try to log on with domain credentials, and a DC is not available(i.e., off the network or on the network without an internet connection) you couldn't log on without cached credentials. Of course, local accounts on the computer would be the exception.
He is saying that if you are sitting in your office plugged into the network, sitting 50 feet from a DC that you have access to, you will log in with cached credentials and the contact the DC later. I can't see how Microsoft could possibly do this.
I did a google search and found nothing so I thought I would pose it to our intelligent group here. If this is the way it is, at least someone else would have heard about it through a reading or something. We have a couple more days of class and I've asked for proof. Is it possible he is confusing it with something else? I can't even think of anything similar enough to possibly get it confused with.Decide what to be and go be it. -
rapyoke Member Posts: 27 ■□□□□□□□□□I'm not an expert (look at my certs) but as another member said, but you either logon using cached credentials or contact the DC. As another user asked, if you were REQUIRED to cache credentials even when a DC was available, why would they give you the option to disable it?[X]70-270 - Configuring Windows XP Professional
[X]70-680 - Configuring Windows 7
[X]640-802 - CCNA
[ ] MCITP -
TechZilla Member Posts: 58 ■■□□□□□□□□The way that I've always understood it is that the machine searches for an available DC first and if it is unable to find one it uses your cached credentials.
But thinking on it more, you can still logon to a computer with a user account that has been deleted from AD because of the cached creds. Makes me wonder if it really does look for a DC first.To find out whether you were logged on to the domain:
Type set at a commandline.
Check the LOGONSERVER environmental entry.
If it is set to the name of your computer, you were logged on using cached domain credentials. If you were validated by a DC, the LOGONSERVER value would be set to the name of a DC. You can use the echo command:
echo USERNAME %logonserver%
to get a quick look at the logonserver.
If you have rights to view the event log, check the System log. If you were logged on using cached credentials, you see the following event:
Event ID 5719 -
dales Member Posts: 225The way that I've always understood it is that the machine searches for an available DC first and if it is unable to find one it uses your cached credentials.
But thinking on it more, you can still logon to a computer with a user account that has been deleted from AD because of the cached creds. Makes me wonder if it really does look for a DC first.
That might be something to do with AD replication no!? I've just tried it created a new account logged on and off then deleted (not disabled) the account. It let me logon once but then not again when I tried a minute or two later. If not then by jingo what a security hole!!Kind Regards
Dale Scriven
Twitter:dscriven
Blog: vhorizon.co.uk -
citinerd Member Posts: 266If a DC is available it always contacts the DC. Case and point. If you disable a user and that user tries to logon to a PC where cached credentials were stored and it IS on the network the user is denied access. Otherwise users would be able to log on at least one more time.
-
rwwest7 Member Posts: 300Always is a strong word and usually wrong. I normally set a GPO to make the "cached login count" be zero, that way either you authenticate against a DC or you don't login period.
If he says "always" then ask him what happens the first time you log onto a computer you've never logged onto before?
A way to test:
Log on with a generic account, then log off.
Go to AD and change that users password
Try to log on again with the old password, if it takes the old password then you're using cached credentials, if it makes you use the new password then your intructor is wrong. -
NOLAJ Member Posts: 490Citinerd is correct. If the DC is available, it will always contact the DC.
Ask your instructor to be a little more specific. If he tells you a computer that is joined to a domain uses cached credentials to log you on while you are on the network, he is incorrect.WGU - MBA: I.T. Management --> Graduated!!
WGU - B.S. Information Technology—Network Administration --> Graduated!!
:thumbup: -
Devilsbane Member Posts: 4,214 ■■■■■■■■□□I'm looking for a technet article that goes through the steps of logon. If I find something that goes into enough detail about contacting the DC to get TGT's and TST's I'll print it out and bring it to him.Decide what to be and go be it.
-
QHalo Member Posts: 1,488This shows how domain logon takes place.
How Interactive Logon Works: Logon and Authentication
This shows how to he could be right in certain cases, however its a very specific case and also deals with Windows XP and slow login processes. I'm not sure how much it relates to Windows 7 but I thought I'd show it anyway. I highly doubt he was thinking about this though.
How to Speed up the Login Process for Domain Workstations
http://blog.bigsmoke.us/2010/03/17/fixing-extremely-slow-domain-logon-windows-7 -
Devilsbane Member Posts: 4,214 ■■■■■■■■□□That first link is what I'm looking for, unfortunately that particular article only applies to server 2003. He says that this is a new feature with Windows 7.
It could be something like that second thing, but he says you always log on with cached credentials. (He also says Microsoft has been bragging this "feature" up. Wouldn't that mean that finding evidence was easy??)
Anyway, I'll keep looking. Thanks for the links and ideas.Decide what to be and go be it. -
Devilsbane Member Posts: 4,214 ■■■■■■■■□□That might be something to do with AD replication no!? I've just tried it created a new account logged on and off then deleted (not disabled) the account. It let me logon once but then not again when I tried a minute or two later. If not then by jingo what a security hole!!
If you were to log on and remove the computer from the network, you would be able to keep logging on until you connected it to the network.
A couple weeks ago I was testing lockout procedures on a laptop that was disconnected from the network. I attempted login about a dozen times using a bad password and then logged on using my password and got in. Our lockout threshold is 5, so I was way above it. There is no way to validate lockouts/disables/deletions if the computer is never able to contact the domain. If contact can't be made then it attempts cached credentials (unless it has been disabled)Decide what to be and go be it. -
higherho Member Posts: 882Devilsbane wrote: »He is saying that if you are sitting in your office plugged into the network, sitting 50 feet from a DC that you have access to, you will log in with cached credentials and the contact the DC later. I can't see how Microsoft could possibly do this.
I did a google search and found nothing so I thought I would pose it to our intelligent group here. If this is the way it is, at least someone else would have heard about it through a reading or something. We have a couple more days of class and I've asked for proof. Is it possible he is confusing it with something else? I can't even think of anything similar enough to possibly get it confused with.
If your DC is down you can unplug your network connection and log in with cached credentials (happened at work one day and I instructed users to put there CAC(common access card) in after they unplugged there network cable). If the NIC can contact the domain it will contact the domain first and not used your cached credentials (I will confirm this with some of the senior admins who work in my building to make sure but I'm 95% confident it does).
Of course our cache credentials get deleted after two days. So you will need to log in connected to the network to authenticate to the domain anyways. This works on Windows XP and Windows 7 and really any OS that stores cached credentials.
btw I think he is wrong I have asked all the Enterprise Administrators I know and they stated that it authenticates against the DC first. -
rudy devries Registered Users Posts: 1 ■□□□□□□□□□I'ts just how Kerberos ( default auth. mechanism since w2K3 domains) works. If you logn, you don't have a TGT so you always contact a dc to get a TGT. just take a network trace when loging on and you'll see. So you always athenticate against a DC when loggin on. This does not mean the password is stored. The Fall-back Auth. mechanism in any windows system is still some flavor of NTLM auth. In order to use this, when you logon to a system it will always generate a "NT hash" from your password and ,default, store it localy. Even in windows 7 and windows Vista. What is changed since windows vista is that the weaker "LM hash" is not stored any more.
Be even if your password is not stored on the systemit is stored locally in memory to handle the authentication request ( kerberos) or to to proces a "ntlm challenge".
So in A way your teacher may be wright but he doesn't tell the whole story. (Or he tells teh story wrong).
If you want to know the whole story dig deeper in windows authentication mechanisms.
See
https://www.ibm.com/developerworks/mydeveloperworks/blogs/CloudComputing/entry/kerberos_operation?lang=en
Restricting cached credentials in Windows
Dumping NTLM Hash’s from Windows with Fgdump.
I don't know by heart when you disable the cached credentials by gpo, you won't be able to retrive "NT hashes" from domain users on a system
enjoy. -
Don'tH8me Registered Users Posts: 1 ■□□□□□□□□□If Windows 7 always logged on using cached credentials, how would you log on the first time?