none
Credentials Manager forgets windows credentials RRS feed

  • Question

  • Hello,

    I use credentials manager to add windows credential for a website using NTLM authentication. Once I add it, everything works fine. However, credential is added with "Persistence: Logon Session", and after reboot of computer is forgotten.

    How do I make it permanent?

    Friday, April 16, 2010 10:22 AM

Answers

  • Please change the authentication level to “Send LM & NTLM - use NTLMv2 session security if negotiated”, since we do not know whether the website uses NTLM or NTLMv2.

    Maybe the authentication is blocked by antivirus and firewall in your system, or the firewall on your router. You may temporary disable the security programs and try again. If the issue persists, disable the firewall on the router or temporary bypass the router and check the result.

    If it does not help, please let us know if other Windows 7 computers have the same issue. If so you may need to check the Sharepoint server side.


    Arthur Xie - MSFT
    Thursday, April 22, 2010 2:42 AM
    Moderator

All replies

  • If the website is using NTLM authentication, it is no need to add credential in “Credential Manager”. The server side will check your username and password and decide whether you are allowed to access.

    Microsoft NTLM

    If your username/password is not allowed, you are not granted to access the website although you add the credential in Credential Manager if the website does not allow the simple credential authentication.

    If your NTLM authentication fails, it may be caused by the different levels. For more information, please contact the server side of the website. If the authentication level needs to be changed, you may refer:

    Network security: LAN Manager authentication level

    The policy is:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level

    Please change “Send LM & NTLM - use NTLMv2 session security if negotiated”.


    Arthur Xie - MSFT
    Tuesday, April 20, 2010 8:53 AM
    Moderator
  • Actually that's two different question:

    1. Why existing NTLM auth fails: I don't know why office products keep popping up a question on opening SharePoint document. Entering credentials proceeds fine.

    2. Why does it drop credentials entered in credentials manager?

    Wednesday, April 21, 2010 1:32 PM
  • actually

    3) why does NTLM work sometimes, but then later will ask for login again?

    I have enabled sending LM and NTLM responses.

    Wednesday, April 21, 2010 1:33 PM
  • Please change the authentication level to “Send LM & NTLM - use NTLMv2 session security if negotiated”, since we do not know whether the website uses NTLM or NTLMv2.

    Maybe the authentication is blocked by antivirus and firewall in your system, or the firewall on your router. You may temporary disable the security programs and try again. If the issue persists, disable the firewall on the router or temporary bypass the router and check the result.

    If it does not help, please let us know if other Windows 7 computers have the same issue. If so you may need to check the Sharepoint server side.


    Arthur Xie - MSFT
    Thursday, April 22, 2010 2:42 AM
    Moderator
  • I already have it at "Send LM & NTLM - use NTLMv2 session security if negotiated". It works properly 95% of the time. But sometimes pops up the dialog.

    I don't have any firewalls or antivirus applications running.

    Others seem to knock into the same issue aswell.

    It might be server side, but how do I start looking for the problem?


    Monday, April 26, 2010 7:53 PM
  • Lately (seems after the last big set of windows updates), all my saved credentials are getting deleted in Windows 7.  I don't know why it is happening, but I know what is deleting them: lsass.exe is.  Now I already made sure that process and the rest of the machine are clean, no viruses, trojans, etc.  But I got annoyed having to restore my credentials all the time.  So decided to monitor the actual directories where the credentials are stored for changes.  For reference they are stored in these two directories (and as protected system files so normally you can't see the files):

    C:\Users\[user id]\AppData\Local\Microsoft\Credentials

    C:\Users\[user id]\AppData\Roaming\Microsoft\Credentials

    I used the program PA File Sight Pro (http://www.poweradmin.com/file-sight/) to monitor those two directories and tell me what deletes all the credentials.  So left it running and sure enough, my credentials got deleted and it told me lsass.exe did it.  Like I said, I don't know why it's doing it, can't find anything anywhere about "lsass decides to delete your credentials"...  Maybe this will point someone that knows more about the inner workings of lsass in the right direction.

    I'm stuck having to restore my credentials at least once a day now though and it is annoying.  But for what it's worth, you don't have to use the backup vault to restore--though less secure probably (it's my home machine so pretty safe) you can actually backup and restore the credentials with xcopy so you can setup an automated restore.

    Tuesday, May 4, 2010 12:42 AM
  • I have a similar problem. I'm using Windows 7 Ultimate SP1 non domain joined computer and every time I restart every Windows and Generic credential in the Credential Manager Windows Vault is lost. If I backup the vault I am able to restore the vault after the restart. How were you able to use xcopy to automate the backup/restore?
    Tuesday, May 31, 2011 10:36 PM
  • I ran into this when working with my hosted exchange provider.  It was a new domain install, so I asked the provider if they had any recommendations on the AD domain name matching the email domain or not.  They said "yes -- make it match".  For the _most_ part, I can log in with the e-mail address, but some stuff just kept prompting for a password.  On asking the hosts support, they said enter the credential in credential manager.

    If I enter it as the e-mail address (which matched the AD login), it was a 'Logon Session' persistence.  If I entered it as "HOSTDOMAIN\user" instead of user@userdomain.com, it changed the persistence to "enterprise".

    So...  unless somebody knows how to change that behavior, the workaround I see is to use some... other domain name (other than what the local machine recognizes your current credentials as) in your to-be-saved credentials.

    Tuesday, October 18, 2011 10:20 PM