Re: Cached credentials and password expiration

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Scott Lowe (slowe-NOSPAM_at_NOSPAM-mercurionsystems.com)
Date: 01/04/05 

Date: Tue, 4 Jan 2005 09:25:37 -0500

On 2005-01-03 23:48:44 -0500, "Herb Martin" <news@LearnQuick.com> said:

"Scott Lowe" <slowe-NOSPAM@NOSPAM-mercurionsystems.com> wrote in message
news:33uf9pF45h8vlU1@individual.net...
> On 2005-01-03 21:20:49 -0500, "Herb Martin" <news@LearnQuick.com> said:
>
> There is no IAS server in place in this environment currently; that is
> slated to be added soon. In either event, the presence or absence of
> an IAS server to perform RADIUS authentication does not affect
> connectivity to the DCs during the logon process. (IAS will handle the
> VPN authentication against AD, but that doesn't address logon
> authentication--we need an updated VPN client for that.)

Sorry, I must have confused you original question with someone
else's who mentioned IAS, but the issue remains similar if you
are authenticating the VPN (RRAS) againt AD instead of just
separate server connections etc.

> So...bottom line is this: To the best of everyone's knowledge thus
> far, the cached credentials do not also store password information
> expiration, and therefore the expiration of a user's password on the
> domain should not affect their ability to logon locally with cached
> credentials. Is that correct?

I believe that is correct. Unless the client computer
is in contact (authenticated itself) with a DC.

> Does anyone know under what circumstances it is possible for cached
> credentials to be damaged or corrupted and not function correctly any
> longer?

If the computer authenticates itself with a DC.

Herb, what you're saying is that if a DC is available when the computer
boots up and presents the Ctrl-Alt-Del screen for logon, cached
credentials are not (will not be) used. Yes?

Are there any other circumstances in which, minus connectivity to a DC
at boot time, Windows will refuse to use cached credentials and thus
refuse logons to a domain account because a domain controller cannot be
found? 

-- 
Scott Lowe
Mercurion Systems, Inc.

Relevant Pages

  • Re: How to get credentials for network access in authentication package?
    ... package is supposed to allow the calling logon package to get a complete ... "The LSA calls the authentication package interface functions in the ... credentials for network access are missing. ...
    (microsoft.public.platformsdk.security)
  • Re: 802.1x Wired Auth and Authentication
    ... So I'm configured for EAP-TLS auth. ... I am getting errors on both the IAS server and Client. ... Wired 802.1X Authentication failed. ...
    (microsoft.public.internet.radius)
  • IAS to authenticate CISCO VPN traffic
    ... I just closed a TAC with CISCO about this issue and they are pointing to the ... I have a cisco router configured with a group VPN key, and a IAS server ... CiscoRouter wuth the correct shared secret and I have set the Client Vendor ... Within this profile Under authentication and encryption I have tried ...
    (microsoft.public.internet.radius)
  • Re: WLAN authentication sometimes fail
    ... But what I did was to disable server authentication in the client settings. ... My IAS server has two certificates installed, one wildcard certificate from a trusted root and one from our internal CA. ... The PEAP settings on the IAS server were set to use the wildcard certificate and my laptop had both installed as trusted root CAs. ... I have set up a wireless network in our office. ...
    (microsoft.public.internet.radius)
  • Re: IAS Errors
    ... that the account is locked out. ... Netbios domain resolution form of authentication. ... Same PDC emulator and IAS server computer name ...
    (microsoft.public.internet.radius)