Authentication via Cached Credentials

Hi All!

I am wondering if there is a way to mentain AD authentication in a
temporarily isolated network (ISP link goes down). I would need my users to
be able to access shares. Also a local account is out of the question due to
security reasons.

Thank You

Hello Andrei,

Are your users working remotely? Or why is the part with ISP? If they have
to login remotely to the domain and they can not access the DC they can also
not authenticate for share access.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi All!
>
> I am wondering if there is a way to mentain AD authentication in a
> temporarily isolated network (ISP link goes down). I would need my
> users to be able to access shares. Also a local account is out of the
> question due to security reasons.
>
> Thank You
>

Andrei <Andrei@discussions.microsoft.com> wrote:
> Hi All!
>
> I am wondering if there is a way to mentain AD authentication in a
> temporarily isolated network (ISP link goes down). I would need my
> users to be able to access shares. Also a local account is out of the
> question due to security reasons.
>
> Thank You

Cached credentials should work now. You can test this easily. However, if
you have a remote office, get a cheap server box for that location and
install it as a DC in your domain, in its own site/subnet, so users will
always authenticate locally. This is much more efficient and reliable.

I do have a file server in the remote location but it is w2003 storage, so it
cannot pe promoted to a secondary dc. What I would want is for a person who
logs in with cashed domain credentials to be able to access a share on the
local file server using those credentials.

"Lanwench [MVP - Exchange]" wrote:

> Andrei <Andrei@discussions.microsoft.com> wrote:
> > Hi All!
> >
> > I am wondering if there is a way to mentain AD authentication in a
> > temporarily isolated network (ISP link goes down). I would need my
> > users to be able to access shares. Also a local account is out of the
> > question due to security reasons.
> >
> > Thank You
>
> Cached credentials should work now. You can test this easily. However, if
> you have a remote office, get a cheap server box for that location and
> install it as a DC in your domain, in its own site/subnet, so users will
> always authenticate locally. This is much more efficient and reliable.
>
>
>

Andrei <Andrei@discussions.microsoft.com> wrote:
> I do have a file server in the remote location but it is w2003
> storage, so it cannot pe promoted to a secondary dc. What I would
> want is for a person who logs in with cashed domain credentials to be
> able to access a share on the local file server using those
> credentials.

I don't think this can work and I really suggest you put a DC in that
location.
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Andrei <Andrei@discussions.microsoft.com> wrote:
>>> Hi All!
>>>
>>> I am wondering if there is a way to mentain AD authentication in a
>>> temporarily isolated network (ISP link goes down). I would need my
>>> users to be able to access shares. Also a local account is out of
>>> the question due to security reasons.
>>>
>>> Thank You
>>
>> Cached credentials should work now. You can test this easily.
>> However, if you have a remote office, get a cheap server box for
>> that location and install it as a DC in your domain, in its own
>> site/subnet, so users will always authenticate locally. This is much
>> more efficient and reliable.

Hello Andrei,

If i am not wrong during the access of the shared folder there is also an
authentication done from the server to grant the user access. So if no DC
is available the server can not verify and will block access.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I do have a file server in the remote location but it is w2003
> storage, so it cannot pe promoted to a secondary dc. What I would want
> is for a person who logs in with cashed domain credentials to be able
> to access a share on the local file server using those credentials.
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Andrei <Andrei@discussions.microsoft.com> wrote:
>>
>>> Hi All!
>>>
>>> I am wondering if there is a way to mentain AD authentication in a
>>> temporarily isolated network (ISP link goes down). I would need my
>>> users to be able to access shares. Also a local account is out of
>>> the question due to security reasons.
>>>
>>> Thank You
>>>
>> Cached credentials should work now. You can test this easily.
>> However, if you have a remote office, get a cheap server box for that
>> location and install it as a DC in your domain, in its own
>> site/subnet, so users will always authenticate locally. This is much
>> more efficient and reliable.
>>

Cached credentials work to get a user logged on locally but that is it, it
won't provide any tickets (Kerberos) or give them the ability to be provided
any tickets until after they have authenticated with the domain.

http://support.microsoft.com/kb/913485


Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4


http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This posting
is provided "AS IS" with no warranties, and confers no rights.



> Andrei <Andrei@discussions.microsoft.com> wrote:
>
>> Hi All!
>>
>> I am wondering if there is a way to mentain AD authentication in a
>> temporarily isolated network (ISP link goes down). I would need my
>> users to be able to access shares. Also a local account is out of the
>> question due to security reasons.
>>
>> Thank You
>>
> Cached credentials should work now. You can test this easily. However,
> if you have a remote office, get a cheap server box for that location
> and install it as a DC in your domain, in its own site/subnet, so
> users will always authenticate locally. This is much more efficient
> and reliable.
>