Re: Domain authentication

If anything, you would want to configure an AD client to flush cached credentials rather than use them. The cached credentials was meant more as a worst case scenario (i.e. local network connectivity goes down and users still need to log in, etc...).

Cached credentials was not designed as a solution for logging in. If clients do not authenticate against a DC then they do not know about their security rights along with network resources and a slew of additional ldap features. Also, if you have a domain password policy which expires passwords every x days then the synchronization will be thrown off as well.

If this is just a handful of workstations you might want to simply create local accounts and have the users authenticate against the local machine (while keeping the workstations in the domain and you manage the accounts remotely). You could also decentralize those handful of workstations by disjoining them from the domain and creating a workgroup type setup. If it's more than a handful of machines then you might want to consider getting a lightweight DC up and running in that location.

It all depends on how much administrative overhead you're willing to deal with and what your design requires.

-penlaster


Dharan Prakash wrote:
In a typical Active directory - Domain environment, the clients authenticate users and this authentication happens in the domain controller. But if the domain controller is not available or cannot be contacted, authentication happens at the client itself using cached credentials. I have two queries.
1. Can we configure the client so that the domain authentication happens using cached credentials most of the time or less frequently contact the domain controller?
2. From the security perspective what are caveats of this approach?

thanks
.

Relevant Pages

  • Re: Authentication woes
    ... I can not really understand how the client should connect to the DC when they are at work with the 192.x.x.x ip when the server is in 10.x.x.x network. ... If i read the output for the client it is member of domainb.internal and not member of domain.com like the DC, ... If the user logon with cached credentials, ...
    (microsoft.public.windows.server.active_directory)
  • RE: Password Policy question
    ... I can't realy tell you if all the cached credentials are stored in plain ... remember that Runas and RDp connections are cached on your client and counts ... The if cobining the store reversible encryption with chached ... As I said cached credentials and store password using reversible encryption ...
    (microsoft.public.windows.server.active_directory)
  • RE: Password Policy question
    ... It's on the client, not on the DC. ... As I said cached credentials and store password using reversible encryption ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cached Credentials
    ... I changed the domain policy to allow 50, but the change never made it ... so I changed the client to 50.. ... The cached credentials for my domain admin account still worked ... network, and it logged in fine for his domain acct.. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    (microsoft.public.dotnet.framework.aspnet.security)
Loading