Cached Credentials stop working all of a sudden

Hello,

we have a Domain built on a mixture of 2003- and 2000-based domain
controllers. We have lots of people who are on the road regularly using
notebooks. Some people only log on to the domain once every half a year. When
they are on the road they log on using cached credentials. They do not have
local admin permissions and we do not allow them to use a local user account
(this has been dictated by company management).

About once every 2 months we have a case where some laptop user all of a
sudden cannot use his cached credentials anymore. The system shows a message,
that the domain cannot be contacted and that's it. This hits different people
on different laptops without any warning. It has actually happened to myself
when I was on a one-week-vacation.

If we connect the laptop to the network and have the person log on
"properly" the problem goes away and cached credentials work. Some people
have RAS permissions and we have been able to "solve" the problem by having
them log on using RAS.

We do not have a GP defining the use of cached credentials so the default of
the last 10 logons is in place. We do not tamper with the cahced logons in
the registry either. There is no password expiration policy in place.

Does anybody have an idea? It's a real pain having to tell someone that he
has to mail his notebook back to HQ half way around the world so that we can
log him on.

Any help or hint would be greatly appreciated!
Thanks!
HarryH

Hello HarryH,

Is this policy set somewhere i your domain, maybe counting to 60 (round 2
month)?
Computer Configuration->Windows Setting->Local Policy->Security
Interactive Logon: Number of previous logons to cache:

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hello,
>
> we have a Domain built on a mixture of 2003- and 2000-based domain
> controllers. We have lots of people who are on the road regularly
> using notebooks. Some people only log on to the domain once every half
> a year. When they are on the road they log on using cached
> credentials. They do not have local admin permissions and we do not
> allow them to use a local user account (this has been dictated by
> company management).
>
> About once every 2 months we have a case where some laptop user all of
> a sudden cannot use his cached credentials anymore. The system shows a
> message, that the domain cannot be contacted and that's it. This hits
> different people on different laptops without any warning. It has
> actually happened to myself when I was on a one-week-vacation.
>
> If we connect the laptop to the network and have the person log on
> "properly" the problem goes away and cached credentials work. Some
> people have RAS permissions and we have been able to "solve" the
> problem by having them log on using RAS.
>
> We do not have a GP defining the use of cached credentials so the
> default of the last 10 logons is in place. We do not tamper with the
> cahced logons in the registry either. There is no password expiration
> policy in place.
>
> Does anybody have an idea? It's a real pain having to tell someone
> that he has to mail his notebook back to HQ half way around the world
> so that we can log him on.
>
> Any help or hint would be greatly appreciated!
> Thanks!
> HarryH

This is a confusing settings: http://support.microsoft.com/kb/825805
Cached credentials do not time out, but they may stop working:
http://support.microsoft.com/kb/818088. Do you have web services, OWA, TS or
other ways people may change their password?
If a machine is going to be off the domain that long I would generally
remove it from the domain.
Anthony
http://www.airdesk.co.uk



"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66a31298caaf1a67acbbc0@msnews.microsoft.com...
> Hello HarryH,
>
> Is this policy set somewhere i your domain, maybe counting to 60 (round 2
> month)?
> Computer Configuration->Windows Setting->Local Policy->Security
> Interactive Logon: Number of previous logons to cache:
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hello,
>>
>> we have a Domain built on a mixture of 2003- and 2000-based domain
>> controllers. We have lots of people who are on the road regularly
>> using notebooks. Some people only log on to the domain once every half
>> a year. When they are on the road they log on using cached
>> credentials. They do not have local admin permissions and we do not
>> allow them to use a local user account (this has been dictated by
>> company management).
>>
>> About once every 2 months we have a case where some laptop user all of
>> a sudden cannot use his cached credentials anymore. The system shows a
>> message, that the domain cannot be contacted and that's it. This hits
>> different people on different laptops without any warning. It has
>> actually happened to myself when I was on a one-week-vacation.
>>
>> If we connect the laptop to the network and have the person log on
>> "properly" the problem goes away and cached credentials work. Some
>> people have RAS permissions and we have been able to "solve" the
>> problem by having them log on using RAS.
>>
>> We do not have a GP defining the use of cached credentials so the
>> default of the last 10 logons is in place. We do not tamper with the
>> cahced logons in the registry either. There is no password expiration
>> policy in place.
>>
>> Does anybody have an idea? It's a real pain having to tell someone
>> that he has to mail his notebook back to HQ half way around the world
>> so that we can log him on.
>>
>> Any help or hint would be greatly appreciated!
>> Thanks!
>> HarryH
>
>

Hello,

thanks for your hints. We left the number of previous logons to cache at its
default of 10 and the laptops are personalized so usually its just one person
using the laptop. Therefore this number should never be a problem. Also I
think the caching works in a FIFO fashion...

We do not have a password expiration policy but people have permissions to
change their password. We do not use Exchange, so no OWA. Our VPN solution is
not hooked into the GINA so users have to login with cached credentials first
and then establish the tunnel. Some users also have the ability to use a TS
within the VPN. One of the mentioned articles state that password changes
might not be reflected in the cache if no successfull logon to the domain is
done after the password change. But even if passwords are changed within the
VPN or in a TS session and not cached properly at that point, I would think
that the cache would still hold the old password? We have not had a case
where any old passwords would have worked.

Regards
HarryH

"Anthony [MVP]" wrote:

> This is a confusing settings: http://support.microsoft.com/kb/825805
> Cached credentials do not time out, but they may stop working:
> http://support.microsoft.com/kb/818088. Do you have web services, OWA, TS or
> other ways people may change their password?
> If a machine is going to be off the domain that long I would generally
> remove it from the domain.
> Anthony
> http://www.airdesk.co.uk
>
>
>
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66a31298caaf1a67acbbc0@msnews.microsoft.com...
> > Hello HarryH,
> >
> > Is this policy set somewhere i your domain, maybe counting to 60 (round 2
> > month)?
> > Computer Configuration->Windows Setting->Local Policy->Security
> > Interactive Logon: Number of previous logons to cache:
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >> Hello,
> >>
> >> we have a Domain built on a mixture of 2003- and 2000-based domain
> >> controllers. We have lots of people who are on the road regularly
> >> using notebooks. Some people only log on to the domain once every half
> >> a year. When they are on the road they log on using cached
> >> credentials. They do not have local admin permissions and we do not
> >> allow them to use a local user account (this has been dictated by
> >> company management).
> >>
> >> About once every 2 months we have a case where some laptop user all of
> >> a sudden cannot use his cached credentials anymore. The system shows a
> >> message, that the domain cannot be contacted and that's it. This hits
> >> different people on different laptops without any warning. It has
> >> actually happened to myself when I was on a one-week-vacation.
> >>
> >> If we connect the laptop to the network and have the person log on
> >> "properly" the problem goes away and cached credentials work. Some
> >> people have RAS permissions and we have been able to "solve" the
> >> problem by having them log on using RAS.
> >>
> >> We do not have a GP defining the use of cached credentials so the
> >> default of the last 10 logons is in place. We do not tamper with the
> >> cahced logons in the registry either. There is no password expiration
> >> policy in place.
> >>
> >> Does anybody have an idea? It's a real pain having to tell someone
> >> that he has to mail his notebook back to HQ half way around the world
> >> so that we can log him on.
> >>
> >> Any help or hint would be greatly appreciated!
> >> Thanks!
> >> HarryH
> >
> >
>
>
>

Harry,
A few more things to try:
- turn on full auditing of logons and account management on the DC and
client so you can see exactly what security errors you have
- have a client leave and rejoin the domain and see if you have a problem
with that client
- what is the AD domain name? Is it a public domain?
Anthony,
http://www.airdesk.co.uk


"HarryH" <HarryH@discussions.microsoft.com> wrote in message
news:BB9FA480-F88B-401B-BEA8-531EB817594B@microsoft.com...
> Hello,
>
> thanks for your hints. We left the number of previous logons to cache at
> its
> default of 10 and the laptops are personalized so usually its just one
> person
> using the laptop. Therefore this number should never be a problem. Also I
> think the caching works in a FIFO fashion...
>
> We do not have a password expiration policy but people have permissions to
> change their password. We do not use Exchange, so no OWA. Our VPN solution
> is
> not hooked into the GINA so users have to login with cached credentials
> first
> and then establish the tunnel. Some users also have the ability to use a
> TS
> within the VPN. One of the mentioned articles state that password changes
> might not be reflected in the cache if no successfull logon to the domain
> is
> done after the password change. But even if passwords are changed within
> the
> VPN or in a TS session and not cached properly at that point, I would
> think
> that the cache would still hold the old password? We have not had a case
> where any old passwords would have worked.
>
> Regards
> HarryH
>
> "Anthony [MVP]" wrote:
>
>> This is a confusing settings: http://support.microsoft.com/kb/825805
>> Cached credentials do not time out, but they may stop working:
>> http://support.microsoft.com/kb/818088. Do you have web services, OWA, TS
>> or
>> other ways people may change their password?
>> If a machine is going to be off the domain that long I would generally
>> remove it from the domain.
>> Anthony
>> http://www.airdesk.co.uk
>>
>>
>>
>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb66a31298caaf1a67acbbc0@msnews.microsoft.com...
>> > Hello HarryH,
>> >
>> > Is this policy set somewhere i your domain, maybe counting to 60 (round
>> > 2
>> > month)?
>> > Computer Configuration->Windows Setting->Local Policy->Security
>> > Interactive Logon: Number of previous logons to cache:
>> > Best regards
>> >
>> > Meinolf Weber
>> > Disclaimer: This posting is provided "AS IS" with no warranties, and
>> > confers no rights.
>> > ** Please do NOT email, only reply to Newsgroups
>> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >
>> >> Hello,
>> >>
>> >> we have a Domain built on a mixture of 2003- and 2000-based domain
>> >> controllers. We have lots of people who are on the road regularly
>> >> using notebooks. Some people only log on to the domain once every half
>> >> a year. When they are on the road they log on using cached
>> >> credentials. They do not have local admin permissions and we do not
>> >> allow them to use a local user account (this has been dictated by
>> >> company management).
>> >>
>> >> About once every 2 months we have a case where some laptop user all of
>> >> a sudden cannot use his cached credentials anymore. The system shows a
>> >> message, that the domain cannot be contacted and that's it. This hits
>> >> different people on different laptops without any warning. It has
>> >> actually happened to myself when I was on a one-week-vacation.
>> >>
>> >> If we connect the laptop to the network and have the person log on
>> >> "properly" the problem goes away and cached credentials work. Some
>> >> people have RAS permissions and we have been able to "solve" the
>> >> problem by having them log on using RAS.
>> >>
>> >> We do not have a GP defining the use of cached credentials so the
>> >> default of the last 10 logons is in place. We do not tamper with the
>> >> cahced logons in the registry either. There is no password expiration
>> >> policy in place.
>> >>
>> >> Does anybody have an idea? It's a real pain having to tell someone
>> >> that he has to mail his notebook back to HQ half way around the world
>> >> so that we can log him on.
>> >>
>> >> Any help or hint would be greatly appreciated!
>> >> Thanks!
>> >> HarryH
>> >
>> >
>>
>>
>>

Hello Anthony,

thanks for the hints. Turning on auditing is a good idea. We have removed
and rejoined computers before and had no problems. The problem is that we
have thousands of clients and you never know when it's going to hit you.
Often the computers are wiped and rebuild before we can get a hold on them.

The AD domain name is a public name but the DNS zone is only available
internally.

Regards
HarryH

"Anthony [MVP]" wrote:

> Harry,
> A few more things to try:
> - turn on full auditing of logons and account management on the DC and
> client so you can see exactly what security errors you have
> - have a client leave and rejoin the domain and see if you have a problem
> with that client
> - what is the AD domain name? Is it a public domain?
> Anthony,
> http://www.airdesk.co.uk
>
>
> "HarryH" <HarryH@discussions.microsoft.com> wrote in message
> news:BB9FA480-F88B-401B-BEA8-531EB817594B@microsoft.com...
> > Hello,
> >
> > thanks for your hints. We left the number of previous logons to cache at
> > its
> > default of 10 and the laptops are personalized so usually its just one
> > person
> > using the laptop. Therefore this number should never be a problem. Also I
> > think the caching works in a FIFO fashion...
> >
> > We do not have a password expiration policy but people have permissions to
> > change their password. We do not use Exchange, so no OWA. Our VPN solution
> > is
> > not hooked into the GINA so users have to login with cached credentials
> > first
> > and then establish the tunnel. Some users also have the ability to use a
> > TS
> > within the VPN. One of the mentioned articles state that password changes
> > might not be reflected in the cache if no successfull logon to the domain
> > is
> > done after the password change. But even if passwords are changed within
> > the
> > VPN or in a TS session and not cached properly at that point, I would
> > think
> > that the cache would still hold the old password? We have not had a case
> > where any old passwords would have worked.
> >
> > Regards
> > HarryH
> >
> > "Anthony [MVP]" wrote:
> >
> >> This is a confusing settings: http://support.microsoft.com/kb/825805
> >> Cached credentials do not time out, but they may stop working:
> >> http://support.microsoft.com/kb/818088. Do you have web services, OWA, TS
> >> or
> >> other ways people may change their password?
> >> If a machine is going to be off the domain that long I would generally
> >> remove it from the domain.
> >> Anthony
> >> http://www.airdesk.co.uk
> >>
> >>
> >>
> >> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> >> news:ff16fb66a31298caaf1a67acbbc0@msnews.microsoft.com...
> >> > Hello HarryH,
> >> >
> >> > Is this policy set somewhere i your domain, maybe counting to 60 (round
> >> > 2
> >> > month)?
> >> > Computer Configuration->Windows Setting->Local Policy->Security
> >> > Interactive Logon: Number of previous logons to cache:
> >> > Best regards
> >> >
> >> > Meinolf Weber
> >> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> > confers no rights.
> >> > ** Please do NOT email, only reply to Newsgroups
> >> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >> >
> >> >> Hello,
> >> >>
> >> >> we have a Domain built on a mixture of 2003- and 2000-based domain
> >> >> controllers. We have lots of people who are on the road regularly
> >> >> using notebooks. Some people only log on to the domain once every half
> >> >> a year. When they are on the road they log on using cached
> >> >> credentials. They do not have local admin permissions and we do not
> >> >> allow them to use a local user account (this has been dictated by
> >> >> company management).
> >> >>
> >> >> About once every 2 months we have a case where some laptop user all of
> >> >> a sudden cannot use his cached credentials anymore. The system shows a
> >> >> message, that the domain cannot be contacted and that's it. This hits
> >> >> different people on different laptops without any warning. It has
> >> >> actually happened to myself when I was on a one-week-vacation.
> >> >>
> >> >> If we connect the laptop to the network and have the person log on
> >> >> "properly" the problem goes away and cached credentials work. Some
> >> >> people have RAS permissions and we have been able to "solve" the
> >> >> problem by having them log on using RAS.
> >> >>
> >> >> We do not have a GP defining the use of cached credentials so the
> >> >> default of the last 10 logons is in place. We do not tamper with the
> >> >> cahced logons in the registry either. There is no password expiration
> >> >> policy in place.
> >> >>
> >> >> Does anybody have an idea? It's a real pain having to tell someone
> >> >> that he has to mail his notebook back to HQ half way around the world
> >> >> so that we can log him on.
> >> >>
> >> >> Any help or hint would be greatly appreciated!
> >> >> Thanks!
> >> >> HarryH
> >> >
> >> >
> >>
> >>
> >>
>
>
>