Windows 7 caching domain passwords

doug2168

New Member
is this disabled in some way for some reason?

for learning purposes i have setup a samba pdc and have win 7 pro installed at home which is joined to the samba pdc. i also have some win xp pro systems joined to the same pdc. the xp boxes have no issues caching passwords and have just about the same default policies as the win 7 boxes. all boxes can login to the pdc, access shares, etc with no problems. the only issue i have is that domain account passwords are not cached on the win 7 boxes for some reason. am i missing something? as i said all default security policies are in place except the couple of changes needed to have domain communication with the samba pdc.

i hope someone has some ideas of where to look because my eyes are about to fall out trying to find an answer. i've googled for the last 3 hours and have no answers.
 
Password caching can be a big security hole. I've always set system security policy to remember only the last login. The hole has finally been patched.

But if you're having problems re-accessing shares that already have been accessed during the current login session, then that's a horse of a different color. Can you give us some more specifics about your problem?
 
more details..........sure, i don't think i was very specific.

simply put i can login to the domain when i have a connection to it. no problem. when i'm not connected to the domain the domain login does not work because there's nothing to validate the login name and password. so, i can't login as that user with that profile unless i have a domain connection. i have enabled caching of 25 logins in the local sec policy but the system still comes up saying no server available when i try to login with no connection.

i can see this as a security hole but, i can do this as i said with an xp machine all day long. what's the difference here? what's being missed in terms of completely enabling caching of passwords?
 
when i'm not connected to the domain the domain login does not work because there's nothing to validate the login

Disable this setting:

Interactive Logon: Require Domain Controller authentication to unlock workstation

That should do it. Then reduce the number of previous logons to cache down to one unless you have workstations shared by multiple users.
 
already disabled.
I'm assuming that when you try to login offline, you get the following error message:
The system cannot log you on now because the domain <DOMAIN_NAME> is not available.
Cached logon information is controlled by the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0 – 50
Any changes you make to this key will require you to restart the computer to take effect. On these workstations, go ahead and set it to 10 (although the new default on Server 2008 is 25). But I recommend setting it to zero on domain controllers, since they're never offline from themselves.

If this doesn't fix it, then we've traversed to the realm of the strange and need more information, especially from the security event log, when you get an offline logon failure.
 
ok, that didn't do it either. already had that set to 25 but, changed it to 10, rebooted, logged on to the domain and then logged off. disabled wireless card by turning it off with the switch and got the same message as you gave in your last post. we are now in the realm of the strange i guess as you put it.

i did load win 7 pro on to another laptop with no other software and all it has is a wired LAN connection. all default policies and settings. joined it to the domain and it does the same thing.....no logon when the wire is unplugged. that eliminates any other software or wireless being an issue. it's clearly something in win 7 pro that's not enabled but what?
 
I'll dig into this tonight and tomorrow night. Unfortunately, you've found an interesting <shiver!> problem.
 
ok, and as for logs....i get this: ******************This computer was not able to set up a secure session with a domain controller in domain xxx.xxx (removed purposefully) due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.**************************

this is an event id 5719 for netlogon which is in the system event viewer. there's nothing in app event viewer or security event viewer.
 
This computer was not able to set up a secure session with a domain controller in domain xxx.xxx (removed purposefully) due to the following:
There are currently no logon servers available to service the logon request.

Jeepers! So even though we've told it to not require a domain server for authentication, it's requiring a domain server for authentication.

I'm glad that I haven't upgraded any of my Active Directory-managed notebooks yet! There are a few roadwarriors who would have been thoroughly pissed with me if they couldn't log on to their machines when away from the office!

But that's useful information. More later...
 
Jeepers! So even though we've told it to not require a domain server for authentication, it's requiring a domain server for authentication.

I'm glad that I haven't upgraded any of my Active Directory-managed notebooks yet! There are a few roadwarriors who would have been thoroughly pissed with me if they couldn't log on to their machines when away from the office!

But that's useful information. More later...


yep, my point also and just part of the reason i'm testing the OS @ home. i work for a very large corporation and the higher ups are wanting this OS pushed out by the end of next year. there is no way we can have something like this. we currently have 2500 laptops out there in use with XP pro and cached passwords. the normal 'joe user' will have no clue what to do with something like this and to be giving them all local logon accts as well as domain accts seems retarded. i think even if you have one default local logon acct it would cause havok with the normal user. i do hope this is just a little something that's being overlooked by me but, i've gone through the MS site looking for answers and have come up empty.
 
ok, i'll know when i get home this evening but i think i found the answer to my issue. it may very well be that the "
NoLMHash Policy" is set to "enabled" by default on vista and windows 7 but "disabled in XP pro. i will disable this in group policy and see what happens then. i have a funny feeling that this will solve my problems because samba is much like nt 4 and the password hash it used.


will post back with my findings later tonight.
 
ok, i'll know when i get home this evening but i think i found the answer to my issue. it may very well be that the "
NoLMHash Policy" is set to "enabled" by default on vista and windows 7 but "disabled in XP pro. i will disable this in group policy and see what happens then. i have a funny feeling that this will solve my problems because samba is much like nt 4 and the password hash it used.


will post back with my findings later tonight.

well, that didn't do it either. oh well. keep trying
 
The shotgun approach

Okay, let's branch out with our investigation and consider what your computer might be trying to do before and as you log in. These are just shots in the dark, but I can't think of where else to start.
  1. Is pass-through authentication turned on?
  2. What form of the user ID is being used for the login? <domain>\<username>? (I would check Local Users and Groups to verify this, unless you're actually typing in the username, too.)
  3. Do you have any mapped drives?
  4. Do you have any automatically generated links to network shares in Network Places or, er, rather, Home Group or someplace like that?
  5. Is there any folder redirection GPO?
  6. Could something be trying to authenticate before you logon?
  7. Is anything configured in Local Computer Policy\Computer Configuration\Administrative Templates\System\Credentials Delegation?
  8. How about ...\Logon? (e.g. "Assign a default domain for logon")?
  9. How about Local Computer Policy\Computer Configuration\Windows Settings\Name Resolution Policy?
  10. Are any settings found in those groups in Local Computer Policy\User Configuration?
  11. Are there any messages in the Event Log at the time of login failure?
  12. Are you using Network Access Protection (NAP)?
Okay, sure, maybe now I'm getting too far astray, but I keep asking myself, "what would or could cause Windows 7 to expect to be connected to a domain controller before a user logs on?" All I can think of are network services that have been configured to log on to a domain at startup, although that would generate a different kind of message.

At first glance, this doesn't appear to be the same problem, but read on:

Windows 7 Domain Account Lock Out Problem

Note that they haven't solved it yet, either.

We may have found a bug that a lot of enteprise folks are beginning to struggle with, too.
 
  1. Is pass-through authentication turned on? to be honest, i don't know what this is. i did a quick google for it but didn't come up with much except for IIS.
  2. What form of the user ID is being used for the login? <domain>\<username>? (I would check Local Users and Groups to verify this, unless you're actually typing in the username, too.) login id looks like <domain>\<username>
  3. Do you have any mapped drives? no
  4. Do you have any automatically generated links to network shares in Network Places or, er, rather, Home Group or someplace like that? no
  5. Is there any folder redirection GPO? no
  6. Could something be trying to authenticate before you logon? don't think so. especially with the laptop i've been using because all it has on it is a fresh load of windows 7 pro where the only change i made to it is joining the system to the domain.
  7. Is anything configured in Local Computer Policy\Computer Configuration\Administrative Templates\System\Credentials Delegation? nope
  8. How about ...\Logon? (e.g. "Assign a default domain for logon")? nope
  9. How about Local Computer Policy\Computer Configuration\Windows Settings\Name Resolution Policy? nope
  10. Are any settings found in those groups in Local Computer Policy\User Configuration? nope
  11. Are there any messages in the Event Log at the time of login failure? just the netlogon error i posted earlier
  12. Are you using Network Access Protection (NAP)? unless this is setup by default....no and again i don't know where this is found either. i searched for this one too but only see it as a service that manually starts.
i appreciate the help and the answer will be found soon.
 
login id looks like <domain>\<username>

That's got to be the problem! When a domain is specified in the login ID, Windows searches for a domain controller to authenticate the user name. try removing the "<domain>\" part.
 
That's got to be the problem! When a domain is specified in the login ID, Windows searches for a domain controller to authenticate the user name. try removing the "<domain>\" part.

:D OMG!!!! that's what i get for NEVER learning vista i guess and going right from xp pro to win 7 pro. i knew it was simple but, this simple???? sometimes i am just soooooo thick!!!!

thanks for ALL of the help. it's very much appreciated. you ARE da man!!!!
 
If you are referring to the welcome screen or certain user management screens then <domain>\<username> is how the user is always displayed, regardless of you logging in by typing <domain>\<username> or <username> (and letting it default the domain name).

The original poster never mentioned if leaving off the <domain> part during logon solved their issue, but I know this did not help when I had a similar issue. So, just to help anybody that comes across here looking to fix the same issue (or find out more about one cause of this issue) the original poster here:

Netlogon event 5719 - "There are currently no logon servers available to service the logon request" with Samba PDC

Gives a nice explanation about windows having issues with a domain name mismatch in the samba user record. They also provide one solution.

I have found using (on the samba machine): sudo pdbedit --user=USERNAME --domain=CORRECTDOMAIN
Will also fix this problem, provided the cause is the user having the wrong domain name configured in the SAM database.

You can determine that by: sudo pdbedit -L -v
 
Back
Top