Issue with smart cards and cached credentials
With Windows 7 we are seeing some issues where cached credentials with smart cards will just stop working until the computer can successfully re-authenticate against the domain. User logons with cached credentials wrok fine but smart card cached credentials will just randomly start working. All we see in event viewer is Log Name: SystemSource: LsaSrvDate: 3/27/2010 11:26:54 AMEvent ID: 45058Task Category: Logon CacheLevel: InformationKeywords: ClassicUser: N/AComputer: xxx.xxx.xxxDescription:A logon cache entry for user DC=com, DC=domaniname, OU=Accounts, OU=IT Admin Accounts, CN=username@DC=com, DC=domainname, CN=xxx@xxx.com was the oldest entry and was removed. The timestamp of this entry was 3/26/2010 16:25:45. Thanks for any insight
March 30th, 2010 1:13pm

We're seeing the same thing, but it happens with remote users frequently that do not use smart cards. Any ideas?
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2010 5:23pm

I have seen this also and I'm suspect it has something to do with the CRL (Certificate Revocation List) checking. But I am new to troubleshooting windows. I have sniffed my system and never see it go to the CRL distribution site but it somehow has the CRL to validate the card at login. I'm assuming it is pushed through the domain. My guess is that the cached credential login with a smart card fails when cached CRL expires but I have no evidence that this is the cause.
January 13th, 2011 4:00pm

Our systems are set to cache only two logons. This was not an issue until we started using smart cards to authenticate. Once we switched to smart card authentication only the last loged on user could logon when off line. I have not been able to find this documented anywhere, but after some through testing I have discovered that a smart card login effectively uses two cached domain logons. Therfore you have set the Security Option: (Number of previous logons to cache..) to a number twice the number of users requireing logon to the system when in off line mode. To allow 4 users to access you would need 8 cached logons. Hope this helps.
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2011 3:46pm

Hello, Smartcard logon takes up one cached logon slot. User ID and Password takes one cached logon slot. The cached credentials are first in and first out. If you have domain cached logons set to 2 then one user would take up both slots if they logged on with User ID and Password as well as their smartcard. As soon as another person logs on (i.e. remote desktop), the first cached credential is kicked out so the new logon will have a slot. Regarding the behavior seen with cached credentials getting lost, it is likely due to authentication issues while connected to the domain via VPN. Here is how it likely works out: User logs on to their laptop with their smartcard while not connected to their domain. The user connects to the domain using a VPN. They lock their workstation, or it is locked by policy after a period of time, and they attempt to unlock the workstation. While attempting to unlock the workstation certificate validation fails and the user is unable to unlock the workstation. Because a domain controller is now available via the VPN, mutual authentication must occur. Both the domain controller and client certificate/chains must be validated. At this point, after a couple more failed attempts to unlock the workstation the user imposes a hard boot by holding down the power button until the unit is turned off. That is where the cached credential is lost. By not being able to authenticate successfully before shutting down the cached credential is deemed invalid.
August 16th, 2011 12:46pm

Hi MagikD. ..think we have the same problem.. I am still curios on what the problem is since we really cannot have 2 cached credentials on laptops (security issue), and a workaround is not not an option. If we can be sure of that the two CachedCredSlots are occupied we can accept the solution, but in our case with admin logging on and then user, it can take weeks until the "bug" happens and smartcard users has taken both CachedCredSlots. I think we have narrowed it down to where client is connected through VPN (DA is also tested with the same result), computer goest to sleep, then Cached Credential logon fails. We are not using username/passwords, only smartcard. Only one user is recuired to be maintain id in the CachedCredentialSlot If we use Cain&Able on the failed client we can still see the CachedCredential, but its not working.. so in theory it has not been removed... Intresting you say, "it is likely due to authentication issues while connected to the domain via VPN" we are still trying to figure out what the problem is... Anyone got clues? -mts0n
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2011 7:55am

It seems that the CRL does not have anything to to with it.. We have a client with an expired CRL (and removed), but still we can logon with cached credentials.
November 10th, 2011 9:11am

Hello, Your assertion is correct. Cached credentials do not use CRLs. However, as soon as you VPN to the network which the domain controllers reside, the domain controllers are available, slightly changing authentication scenarios. Once you have established the VPN connection, you must mutually authenticate with a domain controller before unlocking a locked workstation for example. You indicate you are not using UserName and Password. Have you locked down the users' accounts for smart card only? By doing so, you would avoid having a users' UserName and Password taking up a cached credential slot. Be prepared to ensure Terminal Servers, Citrix servers, and other remote connection devices accept the smart card prior to enforcing the policy or folks will not be able to access the necessary systems to do their jobs. Also, you want to be sure the policy is applied to user accounts and not computer accounts. Back to the cached credential logon count. I don't believe there is a glaring security issue having more than 2 cached credentials. Although NIST recommends that setting, our organization accepted the default of 10 because of the difficulty of breaking those cached credentials. Also, local accounts do not take up a cached credential slot. Perhaps when an administrator needs to perform some administrative duties they can Run As a local admin account. MagikD
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2011 11:09am

Update: SupportCase with Microsoft is now closed. Well, as we raised CachedCredCount to 10 (case solution) it all "seemed" to be working. ...but, it happened again. But this time it took even longer (5 weeks+), We raised the CachedCredCount to 50, still the same problem. As we had a look in registry or using cain&able to look in the CachedCredentials store there's not even enough cached credentials to fill 10 slots. So, we cannot se what is wrong, eccept that the caced credentials itself is broken or not used at all, what the negoitiation mechanism is doing is quite hidden. The input to the Microsoft case was that with CachedCredCount set to 3 we could still only see that 2 slots where taken, there where one slot not used as we figured that the count itself was not the problem anyhow. This input seems to be slightly ignored. The only thing we now could do is go "SmartCard only" Could SmartCard Only be used on computer policy? Since we could not disregard that some (a few) systems is not smartcard or kerberos complant. HP iLO, Exchange ActiveSync for an axample.
March 21st, 2012 7:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics