Windows 7 logon with cached credentials

DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
Sitting in a Windows training class and the instructor claims that you ALWAYS log onto windows 7 using cached credentials. I have been catching errors left and right from him, and this seems like another one. He says that he can't explain it, but it is the way it is. You log on cached and then contact a DC later.

Can anyone confirm or deny this? RK, I'm looking at you. icon_thumright.gif
Decide what to be and go be it.

Comments

  • Repo ManRepo Man Member Posts: 300
    You can set GPO's to not cache logins so I don't see how that would be right. Admittedly, I've never been in a place that has enforced it.
  • NOLAJNOLAJ Member Posts: 490
    If the computer is joined to a domain, and you try to log on with domain credentials, and a DC is not available(i.e., off the network or on the network without an internet connection) you couldn't log on without cached credentials. Of course, local accounts on the computer would be the exception.
    WGU - MBA: I.T. Management --> Graduated!!

    WGU -
    B.S. Information Technology—Network Administration --> Graduated!!


    :thumbup:
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    NOLAJ wrote: »
    If the computer is joined to a domain, and you try to log on with domain credentials, and a DC is not available(i.e., off the network or on the network without an internet connection) you couldn't log on without cached credentials. Of course, local accounts on the computer would be the exception.

    He is saying that if you are sitting in your office plugged into the network, sitting 50 feet from a DC that you have access to, you will log in with cached credentials and the contact the DC later. I can't see how Microsoft could possibly do this.

    I did a google search and found nothing so I thought I would pose it to our intelligent group here. If this is the way it is, at least someone else would have heard about it through a reading or something. We have a couple more days of class and I've asked for proof. Is it possible he is confusing it with something else? I can't even think of anything similar enough to possibly get it confused with.
    Decide what to be and go be it.
  • rapyokerapyoke Member Posts: 27 ■□□□□□□□□□
    I'm not an expert (look at my certs) icon_lol.gif but as another member said, but you either logon using cached credentials or contact the DC. As another user asked, if you were REQUIRED to cache credentials even when a DC was available, why would they give you the option to disable it?
    [X]70-270 - Configuring Windows XP Professional
    [X]70-680 - Configuring Windows 7
    [X]640-802 - CCNA
    [ ] MCITP
  • TechZillaTechZilla Member Posts: 58 ■■□□□□□□□□
    The way that I've always understood it is that the machine searches for an available DC first and if it is unable to find one it uses your cached credentials.

    But thinking on it more, you can still logon to a computer with a user account that has been deleted from AD because of the cached creds. Makes me wonder if it really does look for a DC first.
    To find out whether you were logged on to the domain:

    Type set at a commandline.
    Check the LOGONSERVER environmental entry.
    If it is set to the name of your computer, you were logged on using cached domain credentials. If you were validated by a DC, the LOGONSERVER value would be set to the name of a DC. You can use the echo command:
    echo USERNAME %logonserver%

    to get a quick look at the logonserver.

    If you have rights to view the event log, check the System log. If you were logged on using cached credentials, you see the following event:

    Event ID 5719
  • dalesdales Member Posts: 225
    TechZilla wrote: »
    The way that I've always understood it is that the machine searches for an available DC first and if it is unable to find one it uses your cached credentials.

    But thinking on it more, you can still logon to a computer with a user account that has been deleted from AD because of the cached creds. Makes me wonder if it really does look for a DC first.

    That might be something to do with AD replication no!? I've just tried it created a new account logged on and off then deleted (not disabled) the account. It let me logon once but then not again when I tried a minute or two later. If not then by jingo what a security hole!!
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
  • citinerdcitinerd Member Posts: 266
    If a DC is available it always contacts the DC. Case and point. If you disable a user and that user tries to logon to a PC where cached credentials were stored and it IS on the network the user is denied access. Otherwise users would be able to log on at least one more time.
  • rwwest7rwwest7 Member Posts: 300
    Always is a strong word and usually wrong. I normally set a GPO to make the "cached login count" be zero, that way either you authenticate against a DC or you don't login period.

    If he says "always" then ask him what happens the first time you log onto a computer you've never logged onto before?

    A way to test:
    Log on with a generic account, then log off.
    Go to AD and change that users password
    Try to log on again with the old password, if it takes the old password then you're using cached credentials, if it makes you use the new password then your intructor is wrong.
  • NOLAJNOLAJ Member Posts: 490
    Citinerd is correct. If the DC is available, it will always contact the DC.

    Ask your instructor to be a little more specific. If he tells you a computer that is joined to a domain uses cached credentials to log you on while you are on the network, he is incorrect.
    WGU - MBA: I.T. Management --> Graduated!!

    WGU -
    B.S. Information Technology—Network Administration --> Graduated!!


    :thumbup:
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    I'm looking for a technet article that goes through the steps of logon. If I find something that goes into enough detail about contacting the DC to get TGT's and TST's I'll print it out and bring it to him.
    Decide what to be and go be it.
  • QHaloQHalo Member Posts: 1,488
    This shows how domain logon takes place.

    How Interactive Logon Works: Logon and Authentication

    This shows how to he could be right in certain cases, however its a very specific case and also deals with Windows XP and slow login processes. I'm not sure how much it relates to Windows 7 but I thought I'd show it anyway. I highly doubt he was thinking about this though.

    How to Speed up the Login Process for Domain Workstations
    http://blog.bigsmoke.us/2010/03/17/fixing-extremely-slow-domain-logon-windows-7
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    That first link is what I'm looking for, unfortunately that particular article only applies to server 2003. He says that this is a new feature with Windows 7.

    It could be something like that second thing, but he says you always log on with cached credentials. (He also says Microsoft has been bragging this "feature" up. Wouldn't that mean that finding evidence was easy??)

    Anyway, I'll keep looking. Thanks for the links and ideas.
    Decide what to be and go be it.
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    dales wrote: »
    That might be something to do with AD replication no!? I've just tried it created a new account logged on and off then deleted (not disabled) the account. It let me logon once but then not again when I tried a minute or two later. If not then by jingo what a security hole!!

    If you were to log on and remove the computer from the network, you would be able to keep logging on until you connected it to the network.

    A couple weeks ago I was testing lockout procedures on a laptop that was disconnected from the network. I attempted login about a dozen times using a bad password and then logged on using my password and got in. Our lockout threshold is 5, so I was way above it. There is no way to validate lockouts/disables/deletions if the computer is never able to contact the domain. If contact can't be made then it attempts cached credentials (unless it has been disabled)
    Decide what to be and go be it.
  • higherhohigherho Member Posts: 882
    Devilsbane wrote: »
    He is saying that if you are sitting in your office plugged into the network, sitting 50 feet from a DC that you have access to, you will log in with cached credentials and the contact the DC later. I can't see how Microsoft could possibly do this.

    I did a google search and found nothing so I thought I would pose it to our intelligent group here. If this is the way it is, at least someone else would have heard about it through a reading or something. We have a couple more days of class and I've asked for proof. Is it possible he is confusing it with something else? I can't even think of anything similar enough to possibly get it confused with.

    If your DC is down you can unplug your network connection and log in with cached credentials (happened at work one day and I instructed users to put there CAC(common access card) in after they unplugged there network cable). If the NIC can contact the domain it will contact the domain first and not used your cached credentials (I will confirm this with some of the senior admins who work in my building to make sure but I'm 95% confident it does).

    Of course our cache credentials get deleted after two days. So you will need to log in connected to the network to authenticate to the domain anyways. This works on Windows XP and Windows 7 and really any OS that stores cached credentials.


    btw I think he is wrong I have asked all the Enterprise Administrators I know and they stated that it authenticates against the DC first.
  • rudy devriesrudy devries Registered Users Posts: 1 ■□□□□□□□□□
    I'ts just how Kerberos ( default auth. mechanism since w2K3 domains) works. If you logn, you don't have a TGT so you always contact a dc to get a TGT. just take a network trace when loging on and you'll see. So you always athenticate against a DC when loggin on. This does not mean the password is stored. The Fall-back Auth. mechanism in any windows system is still some flavor of NTLM auth. In order to use this, when you logon to a system it will always generate a "NT hash" from your password and ,default, store it localy. Even in windows 7 and windows Vista. What is changed since windows vista is that the weaker "LM hash" is not stored any more.
    Be even if your password is not stored on the systemit is stored locally in memory to handle the authentication request ( kerberos) or to to proces a "ntlm challenge".
    So in A way your teacher may be wright but he doesn't tell the whole story. (Or he tells teh story wrong).
    If you want to know the whole story dig deeper in windows authentication mechanisms.
    See
    https://www.ibm.com/developerworks/mydeveloperworks/blogs/CloudComputing/entry/kerberos_operation?lang=en
    Restricting cached credentials in Windows
    Dumping NTLM Hash’s from Windows with Fgdump.

    I don't know by heart when you disable the cached credentials by gpo, you won't be able to retrive "NT hashes" from domain users on a system

    enjoy.
  • Don'tH8meDon'tH8me Registered Users Posts: 1 ■□□□□□□□□□
    If Windows 7 always logged on using cached credentials, how would you log on the first time? icon_rolleyes.gif
Sign In or Register to comment.