+ Reply to Thread
Results 1 to 18 of 18
  1. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #1

    Default Windows 7 logon with cached credentials

    Sitting in a Windows training class and the instructor claims that you ALWAYS log onto windows 7 using cached credentials. I have been catching errors left and right from him, and this seems like another one. He says that he can't explain it, but it is the way it is. You log on cached and then contact a DC later.

    Can anyone confirm or deny this? RK, I'm looking at you.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Oct 2010
    Posts
    300

    Certifications
    Security+, ITIL Foundations, ITIL OSA
    #2
    You can set GPO's to not cache logins so I don't see how that would be right. Admittedly, I've never been in a place that has enforced it.
    Reply With Quote Quote  

  4. Where am I? NOLAJ's Avatar
    Join Date
    Nov 2010
    Location
    Florida
    Posts
    487

    Certifications
    MCITP- Server Admin, MCTS- Network Infrastructure, MCTS- Active Directory, MCTS- Windows 7, CCNA, Sec+, Proj+, Net+, A+, CIW Found. V5, Java
    #3
    If the computer is joined to a domain, and you try to log on with domain credentials, and a DC is not available(i.e., off the network or on the network without an internet connection) you couldn't log on without cached credentials. Of course, local accounts on the computer would be the exception.
    Reply With Quote Quote  

  5. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #4
    Quote Originally Posted by NOLAJ View Post
    If the computer is joined to a domain, and you try to log on with domain credentials, and a DC is not available(i.e., off the network or on the network without an internet connection) you couldn't log on without cached credentials. Of course, local accounts on the computer would be the exception.
    He is saying that if you are sitting in your office plugged into the network, sitting 50 feet from a DC that you have access to, you will log in with cached credentials and the contact the DC later. I can't see how Microsoft could possibly do this.

    I did a google search and found nothing so I thought I would pose it to our intelligent group here. If this is the way it is, at least someone else would have heard about it through a reading or something. We have a couple more days of class and I've asked for proof. Is it possible he is confusing it with something else? I can't even think of anything similar enough to possibly get it confused with.
    Last edited by Devilsbane; 06-30-2011 at 05:19 PM.
    Reply With Quote Quote  

  6. Junior Member
    Join Date
    Jun 2010
    Location
    Northern Virginia
    Posts
    27

    Certifications
    MCP, MCTS: Windows 7
    #5
    I'm not an expert (look at my certs) but as another member said, but you either logon using cached credentials or contact the DC. As another user asked, if you were REQUIRED to cache credentials even when a DC was available, why would they give you the option to disable it?
    Reply With Quote Quote  

  7. Member TechZilla's Avatar
    Join Date
    May 2011
    Location
    Tampa, FL
    Posts
    58

    Certifications
    VCP5
    #6
    The way that I've always understood it is that the machine searches for an available DC first and if it is unable to find one it uses your cached credentials.

    But thinking on it more, you can still logon to a computer with a user account that has been deleted from AD because of the cached creds. Makes me wonder if it really does look for a DC first.

    To find out whether you were logged on to the domain:

    Type set at a commandline.
    Check the LOGONSERVER environmental entry.
    If it is set to the name of your computer, you were logged on using cached domain credentials. If you were validated by a DC, the LOGONSERVER value would be set to the name of a DC. You can use the echo command:
    echo USERNAME %logonserver%

    to get a quick look at the logonserver.

    If you have rights to view the event log, check the System log. If you were logged on using cached credentials, you see the following event:

    Event ID 5719
    Last edited by TechZilla; 06-30-2011 at 12:57 PM.
    Reply With Quote Quote  

  8. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #7
    Quote Originally Posted by TechZilla View Post
    The way that I've always understood it is that the machine searches for an available DC first and if it is unable to find one it uses your cached credentials.

    But thinking on it more, you can still logon to a computer with a user account that has been deleted from AD because of the cached creds. Makes me wonder if it really does look for a DC first.
    That might be something to do with AD replication no!? I've just tried it created a new account logged on and off then deleted (not disabled) the account. It let me logon once but then not again when I tried a minute or two later. If not then by jingo what a security hole!!
    Reply With Quote Quote  

  9. Senior Member citinerd's Avatar
    Join Date
    May 2005
    Location
    MD
    Posts
    264

    Certifications
    MS:ISA, BSIT:Network Administration, CMNA, CCNA, CCDA, A+, NET+, SEC+, Project+, MCTS(70-680), MCSE 2003, MCSA 2008
    #8
    If a DC is available it always contacts the DC. Case and point. If you disable a user and that user tries to logon to a PC where cached credentials were stored and it IS on the network the user is denied access. Otherwise users would be able to log on at least one more time.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jan 2009
    Posts
    297

    Certifications
    A+, Network +, MCSE 2003, CCNA:S, VCP 4
    #9
    Always is a strong word and usually wrong. I normally set a GPO to make the "cached login count" be zero, that way either you authenticate against a DC or you don't login period.

    If he says "always" then ask him what happens the first time you log onto a computer you've never logged onto before?

    A way to test:
    Log on with a generic account, then log off.
    Go to AD and change that users password
    Try to log on again with the old password, if it takes the old password then you're using cached credentials, if it makes you use the new password then your intructor is wrong.
    Reply With Quote Quote  

  11. Where am I? NOLAJ's Avatar
    Join Date
    Nov 2010
    Location
    Florida
    Posts
    487

    Certifications
    MCITP- Server Admin, MCTS- Network Infrastructure, MCTS- Active Directory, MCTS- Windows 7, CCNA, Sec+, Proj+, Net+, A+, CIW Found. V5, Java
    #10
    Citinerd is correct. If the DC is available, it will always contact the DC.

    Ask your instructor to be a little more specific. If he tells you a computer that is joined to a domain uses cached credentials to log you on while you are on the network, he is incorrect.
    Reply With Quote Quote  

  12. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #11
    I'm looking for a technet article that goes through the steps of logon. If I find something that goes into enough detail about contacting the DC to get TGT's and TST's I'll print it out and bring it to him.
    Reply With Quote Quote  

  13. DoWork
    Join Date
    Jun 2010
    Location
    A major Illinois hospital system near you
    Posts
    1,468

    Certifications
    vExpert, VCAP5-DCA/DCD, VCP5-DCV, VCIX-NV, VCP-NV, BSTM
    #12
    This shows how domain logon takes place.

    How Interactive Logon Works: Logon and Authentication

    This shows how to he could be right in certain cases, however its a very specific case and also deals with Windows XP and slow login processes. I'm not sure how much it relates to Windows 7 but I thought I'd show it anyway. I highly doubt he was thinking about this though.

    How to Speed up the Login Process for Domain Workstations
    http://blog.bigsmoke.us/2010/03/17/f...ogon-windows-7
    Last edited by QHalo; 06-30-2011 at 04:54 PM.
    Reply With Quote Quote  

  14. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #13
    That first link is what I'm looking for, unfortunately that particular article only applies to server 2003. He says that this is a new feature with Windows 7.

    It could be something like that second thing, but he says you always log on with cached credentials. (He also says Microsoft has been bragging this "feature" up. Wouldn't that mean that finding evidence was easy??)

    Anyway, I'll keep looking. Thanks for the links and ideas.
    Reply With Quote Quote  

  15. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #14
    Quote Originally Posted by dales View Post
    That might be something to do with AD replication no!? I've just tried it created a new account logged on and off then deleted (not disabled) the account. It let me logon once but then not again when I tried a minute or two later. If not then by jingo what a security hole!!
    If you were to log on and remove the computer from the network, you would be able to keep logging on until you connected it to the network.

    A couple weeks ago I was testing lockout procedures on a laptop that was disconnected from the network. I attempted login about a dozen times using a bad password and then logged on using my password and got in. Our lockout threshold is 5, so I was way above it. There is no way to validate lockouts/disables/deletions if the computer is never able to contact the domain. If contact can't be made then it attempts cached credentials (unless it has been disabled)
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Oct 2010
    Posts
    857

    Certifications
    CISSP, CEH
    #15
    Quote Originally Posted by Devilsbane View Post
    He is saying that if you are sitting in your office plugged into the network, sitting 50 feet from a DC that you have access to, you will log in with cached credentials and the contact the DC later. I can't see how Microsoft could possibly do this.

    I did a google search and found nothing so I thought I would pose it to our intelligent group here. If this is the way it is, at least someone else would have heard about it through a reading or something. We have a couple more days of class and I've asked for proof. Is it possible he is confusing it with something else? I can't even think of anything similar enough to possibly get it confused with.
    If your DC is down you can unplug your network connection and log in with cached credentials (happened at work one day and I instructed users to put there CAC(common access card) in after they unplugged there network cable). If the NIC can contact the domain it will contact the domain first and not used your cached credentials (I will confirm this with some of the senior admins who work in my building to make sure but I'm 95% confident it does).

    Of course our cache credentials get deleted after two days. So you will need to log in connected to the network to authenticate to the domain anyways. This works on Windows XP and Windows 7 and really any OS that stores cached credentials.


    btw I think he is wrong I have asked all the Enterprise Administrators I know and they stated that it authenticates against the DC first.
    Last edited by higherho; 07-15-2011 at 11:45 AM.
    Reply With Quote Quote  

  17. Junior Member Registered Member
    Join Date
    Feb 2012
    Posts
    1
    #16
    I'ts just how Kerberos ( default auth. mechanism since w2K3 domains) works. If you logn, you don't have a TGT so you always contact a dc to get a TGT. just take a network trace when loging on and you'll see. So you always athenticate against a DC when loggin on. This does not mean the password is stored. The Fall-back Auth. mechanism in any windows system is still some flavor of NTLM auth. In order to use this, when you logon to a system it will always generate a "NT hash" from your password and ,default, store it localy. Even in windows 7 and windows Vista. What is changed since windows vista is that the weaker "LM hash" is not stored any more.
    Be even if your password is not stored on the systemit is stored locally in memory to handle the authentication request ( kerberos) or to to proces a "ntlm challenge".
    So in A way your teacher may be wright but he doesn't tell the whole story. (Or he tells teh story wrong).
    If you want to know the whole story dig deeper in windows authentication mechanisms.
    See
    https://www.ibm.com/developerworks/m...ration?lang=en
    Restricting cached credentials in Windows
    Dumping NTLM Hash’s from Windows with Fgdump.

    I don't know by heart when you disable the cached credentials by gpo, you won't be able to retrive "NT hashes" from domain users on a system

    enjoy.
    Reply With Quote Quote  

  18. Junior Member Registered Member
    Join Date
    Sep 2013
    Location
    Fayetteville, NC
    Posts
    1

    Certifications
    MCITP: Enterprise Administrator, MCTS, MCSE+S, MCSA+S, MCP, Sec+, Net+, Master of Science: Information Systems, Bachelor of Science: Information Tech.
    #17

    Default Think Logically

    If Windows 7 always logged on using cached credentials, how would you log on the first time?
    Reply With Quote Quote  

  19. DoWork
    Join Date
    Jun 2010
    Location
    A major Illinois hospital system near you
    Posts
    1,468

    Certifications
    vExpert, VCAP5-DCA/DCD, VCP5-DCV, VCIX-NV, VCP-NV, BSTM
    #18
    Rise!!!
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks