Re: Cached credentials and password expiration

From: Scott Lowe (slowe-NOSPAM_at_NOSPAM-mercurionsystems.com)
Date: 01/03/05 

Date: Mon, 3 Jan 2005 13:30:52 -0500

On 2005-01-03 12:00:35 -0500, "Herb Martin" <news@LearnQuick.com> said:

>> "Scott Lowe" <slowe-NOSPAM@NOSPAM-mercurionsystems.com> wrote in message
>> news:33t5tqF3u0fboU1@individual.net...

<snip>

>> password expiration policies to be enforced. These remote users
>> connect to the domain via VPN on a very regular basis, but are not able
>> to logon "live" to a DC so that their cached credentials can be updated
>> or so that they can receive password expiration notices. (There is a
>> fix for that in the works, but it will be a while before that can be
>> rolled out to everyone.)
>
> Why not? It is possible to authenticate through such,
> in fact this has been going on with RRAS and it's
> predecessors using dial for years.

It's not a matter of technology. The specifics of this particular
environment and this particular network are driving that timeline. For
*this* environment, it will be a few months before "live" network
logons over a VPN connection are possible.

>> So, do the cached credentials also include password expiration
>> information? If not, any one have any other suggestions as to why this
>> may be occurring (users suddenly unable to logon to their workstation
>> with cached credentials--error message is "No domain controller
>> available to log you on" or similar).
>
> I don't believe so -- it is more likely the machine
> is authenticating ITSELF with the domain, at that
> point it CAN deny the user access.

So are you referring here to a problem with the machine account
password, or am I misunderstanding your suggestion?

> They key here is (I believe) that you can only use
> cached credentials IF you computer cannot find
> a DC to authenticate itself.

We know that given the current VPN connection method, users DO NOT have
access to a domain controller during the logon process. However, they
are connected to the VPN on a very regular basis, since the VPN
connection provides their *only* way to check e-mail and access other
mission-critical enterprise applications. The real question is, does
this regular (non-logon) network connectivity affect the cached
credentials and how they behave over time?

TIA. 

-- 
Scott Lowe
Mercurion Systems, Inc.

Relevant Pages

  • RE: PPTP VPN connection problems
    ... Since you want to contact your local MS support for help, ... Additional, you can establish the VPN connection from internal client, that ... | A ping to the server would result in "Request timed out". ...
    (microsoft.public.windows.server.sbs)
  • RE: PPTP VPN connection problems
    ... But I do not think it is in the ADSL router itself. ... They do not say it but maybe they prohibit VPN connections ... fix IP for my connection – PPPoE/PPPoA) subscription at belgacom in Belgium ... | A ping to the server would result in "Request timed out". ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Client
    ... Thanks for the help on losing the remote connection when you connect to VPN. ... Regarding the router port forward issue, you should point the port 1723 to ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Ports to Open
    ... the VPN connection after you change the firewall before SBS. ... On the server, please stop the Routing and Remote Access service. ... Total GRE packets sent = 1 ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN connection not passing the password auth stage.
    ... I understand that when you try to establish a VPN ... connection, the connection fails in the process of verifying the ... PPTP client and a PPTP server. ... The router must be able to pass Generic ...
    (microsoft.public.windows.server.sbs)