locked
Domain profile user can't login with correct credentials when domain is unreachable RRS feed

  • Question

  • This is basically a new post of a previous post.  That one was "answered" due to inactivity and the provided solution to check the Group Policy :Network access: Do not allow storage of passwords and credentials for network authentication is not being set for my GPO and thus does not solve my issue.

    I am running Windows 10 Pro Version 2004 (OS Build 19041.329). The computer is joined to a domain and established a domain profile with fingerprint and PIN.  When at office that is directly accessible to AD server, login works fine. But when offsite and attempting to login under domain profile always get error: "password is incorrect". Pass, PIN and fingerprint doesn't work. The only thing to remedy the situation is to log in by local administrator and connect via VPN to our corporate network.  Before connecting VPN, I open the Computer Management window and expand the Local Users and Groups -- Groups.  Viewing the members of the Administrators displays a long SID.  Once I connect to VPN, that SID turns to my domain profile name XXX\yyy.  Then I simply switch users and log in as my domain profile with no issue.  After restarting, or even locking computer I will encounter same password forgotten issue for the domain profile.

    Wednesday, July 8, 2020 8:52 PM

Answers

  • Hi I think I have solved the problem!  And I don't think just deleting/re-initializing profile would have fixed it but instead required a complete reinstall of windows which fortunately I did not need to do.

    Basically I found a cached credential of Office for my user stored under the SYSTEM account.  Seems like this has happened to others (see this post).

    I was able to track this down by opening a command window to run under the SYSTEM account using psexec utility: psexec -i -s -d cmd.exe

    Then open the "Stored User Names and Passwords" window via command: rundll32.exe keymgr.dll,KRShowKeyMgr

    This showed a single credential: MicrosoftOffice16_Data:SSPI:abc@xxxx.com (LegacyGeneral).  I removed it and rebooted.  Now when I view the "Stored User Names and Passwords" under the SYSTEM account, I just see one for virtualapp/didlogic (WindowsLive) which is consistent based on other laptops in our domain.

    While this doesn't make entire sense to me why an office credential under SYSTEM account would affect the entire machine's ability to dependably cache credentials it has solved the problem! There must be some internal operation happening with the SYSTEM account when a VPN connection is started that "resets" credentials in the machine.  I am just speculating here -- If you can shed any insights you have I would be curious to know more.  Otherwise we can close this thread.

    • Marked as answer by sonyisda1 Friday, July 31, 2020 9:30 PM
    Saturday, July 25, 2020 1:05 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    1.How many clients have such problem?
    2.Is the problematic machine fresh installed or upgraded from Home to Pro?


    Based on "the Group Policy :Network access: Do not allow storage of passwords and credentials for network authentication is not being set for my GPO and thus does not solve my issue.", do you mean this group policy setting is default setting or it is enabled? Would you please check it?



    If it is default setting, we should log on this machine with cachaed domain credential when offsite. 

    Or we can try the last cached domain credential to see if we can log on this machine when offsite.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 9, 2020 5:14 AM
  • That group policy is not defined in any domain GPO and in my Local Security Policy it is Disabled.  I am the only one experiencing this problem.  Other users at my office upgraded to 2004 from 1909 and did not notice this problem with domain credentials.

    Another thing I noticed is the Credential Manager seems to "forget" my windows credentials throughout the day.  So every morning I have to go through the process of logging in via local admin account, then connecting to corporate VPN, and then switching users to my domain account.  I stay logged in to my domain profile all day long.

    Before I open a VPN connection on my domain profile, I see there is no Windows Credentials.

    And then after I connect to corporate VPN on my domain profile account, I notice the Windows Credential appear.  But these will eventually disappear during the day (even if i stay connected to VPN).  But if I disconnect from VPN and reconnect, they will reappear.  I haven't yet tracked the exact amount of time it takes to disappear but it is definitely less than 8 hours.

    • Edited by sonyisda1 Thursday, July 9, 2020 11:58 AM added extra blurb about other domain users not seeing this problem
    Thursday, July 9, 2020 11:54 AM
  • Hi,
    Thank you for your update.

    Not sure whether it is your operating system problem or your account problem.
    Would you please check if another domain user logs on your machine with his/her domain credential, whether there is such issue?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 10, 2020 3:54 AM
  • I have created a second domain profile for a different account and it seems to work just fine.  In order to do so I brought my laptop onsite to the office so that it had a direct connection to AD network.  After bringing it back offsite I could never get the second account to fail like the first.  And the first account seemed to be working fine with log offs, reboots, and session lock.  But as soon as I connected to VPN and locked the computer, it immediately brought the first account to the error state where it does not recognize the password.  To mention for more info during this failure it also forgets outlook signin, Chrome google account signin, lastpass browser extension signin -- so it is more than just the domain account password.

    So not sure what is about the first domain profile that when it gets connected to a VPN it somehow forgets all the credentials. And the second domain profile still works fine even when the first account is in failure state.

    Sunday, July 12, 2020 11:37 PM
  • Hello,

    Thank you for your update.

    I am sorry, we should check the following group policy settings instead of the setting above.

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container\Interactive logon: Number of previous logons to cache (in case domain controller is not available)



    Tip: Because the second domain account is working fine, we should have cached the domain user credentials. I mean this problem is not related to this group policy setting.


    1.For the problem, if we have cached the domain user credentials before, then we logon when offsite, usually, it will use cached credential to authenticate.

    2.For the second domain user account. it is working fine.

    3.But for the first domain user account, we receive error message: "password is incorrect" instead of using cached domain user credential when login when offsite, because in that work location when offsite, it found one server in the same domain name as your domain (and there is the same domain user account but different password as your first domain user account in this domain) to authenticate your first domain user account, then it fails.

    4.So I suggest, we can change another work location when offsite to try your first dmain user account to see if it will use cached credential.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 13, 2020 2:47 AM
  • The "Number of previous logons to cache" is set to 10 checking in my Local Security Policy.

    I think I may have confused you about testing a second account (or at least I do no understand what you are getting at in your 4-step tip).  In generic terms we have domain XXXX.  I normally use account XXXX\abc.  XXXX domain is at our office and accessible from offsite via VPN.  I have created new account XXXX\abc2 for the testing.  

    It seems that I am able to to use the XXXX\abc account just fine when offsite where it remembers the credentials UNTIL I connect to VPN. Then the next time the credentials will be checked (after reboot or session lock) that is when they are no longer known and I need to switch to either local admin or the XXXX\abc2 account and then open a connection to VPN.  Then after doing so, the computer seems to be able to authenticate my credentials for the XXXX\abc account. And yes this does seem counter-intuitive where the VPN connection breaks the abc account until I am able to connect to VPN under different account -- but this is repeatable.  Seems like there is some corruption or clearing of cached credentials that takes place when the abc account gets connected to VPN. Is there any explanation for that?

    Monday, July 13, 2020 12:16 PM
  • Hello,
    Thank you for your update.

    So you can login the first time when offsite without VPN, is that right?

    Can you login with the last password of xxxx\abc when offsite?




    This "Windows 10 security" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    "Windows 10 security" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "Windows 10 security"  forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.

    Tuesday, July 14, 2020 9:48 AM
  • 1. So you can login the first time when offsite without VPN, is that right? Yes
    2. Can you login with the last password of xxxx\abc when offsite? Yes it will be able to use that password when offsite until I connect to VPN

    When I bring my laptop onsite to office and log in there, I find the abc account works fine.  When I return back home, I can use that abc account just fine until I connect via VPN which after that it will not be able to authenticate the next time requested:

    • If typing password I receive error: "The password is incorrect. Try again."
    • If using fingerprint I receive error: "Your password was changed on a different device. You must sign in to the device once with your new password, and then you can sign in with Windows Hello."

    In order to get out of situation where the abc account cannot authenticate, I need to log in as local admin or the other abc2 account (which seems to remember the domain credentials just fine) and open VPN connection.  Before opening VPN connection I view the Administrators group and see the long SIDs displayed next to my user account:

    Then after I open VPN, I see those SIDs disappear which is indication the credentials will work. And I switch user to then login as XXXX\abc and it logs in fine with the same password.

    So there is something breaking when I open a VPN connection while logged in under XXXX\abc.  I have removed the VPN entry and created new but problem still persists.

    • Edited by sonyisda1 Tuesday, July 14, 2020 1:28 PM Add image
    Tuesday, July 14, 2020 1:27 PM
  • Hi,
    If we change the password for XXXX\abc, if the issue persists?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Windows 10 Security" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows 10 Security"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    Friday, July 17, 2020 3:02 AM
  • I changed the password for the XXXX\abc account and issue still persists.

    When the profile login forgets the credentials the next time I open Outlook it prompts for the credentials (default mailbox is tied to the XXXX\abc user) as well prompts for other linked mailboxes. I am mentioning because wherever those other linked mailbox credentials are stored is also getting corrupted/cleared.

    Friday, July 17, 2020 5:59 PM
  • Hi,
    If we login with xxxx\abc when offsite, then sign out or locked the computer, then sign in with xxxx\abc again, can we sign in successfully? I mean when offsite, we sign in with xxxx\abc and sign out and sign in with xxxx\abc again and sign out, repeat the same operation, can we sign in successfully?

    Tip: We do not connect VPN during this time.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Windows 10 Security" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows 10 Security"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Monday, July 20, 2020 3:56 AM
  • Once I am able to sign in with XXXX\abc, I can reliably lock, sign out, and reboot the computer with the credentials continuing to work while offsite.  But after sometime of being connected to VPN while logged in under the XXXX\abc account, the credentials problem will arise.  This typically manifests itself the next morning when booting up after the computer has been shutdown overnight.

    Monday, July 20, 2020 12:09 PM
  • Hi,
    Thank you for your reply.

    And I am sorry for late reply.

    Not sure if your domain user account (xxxx\abc)has the same issue on other domian-join laptop.

    If it does not, maybe something is broken about your profile (xxxx\abc), we can back up all the data in your profile and delete this profile on your laptop.

    After that, we can logon with xxxx\abc again to see if it helps.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    "Windows 10 Security" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows 10 Security"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Friday, July 24, 2020 5:04 AM
  • Hi I think I have solved the problem!  And I don't think just deleting/re-initializing profile would have fixed it but instead required a complete reinstall of windows which fortunately I did not need to do.

    Basically I found a cached credential of Office for my user stored under the SYSTEM account.  Seems like this has happened to others (see this post).

    I was able to track this down by opening a command window to run under the SYSTEM account using psexec utility: psexec -i -s -d cmd.exe

    Then open the "Stored User Names and Passwords" window via command: rundll32.exe keymgr.dll,KRShowKeyMgr

    This showed a single credential: MicrosoftOffice16_Data:SSPI:abc@xxxx.com (LegacyGeneral).  I removed it and rebooted.  Now when I view the "Stored User Names and Passwords" under the SYSTEM account, I just see one for virtualapp/didlogic (WindowsLive) which is consistent based on other laptops in our domain.

    While this doesn't make entire sense to me why an office credential under SYSTEM account would affect the entire machine's ability to dependably cache credentials it has solved the problem! There must be some internal operation happening with the SYSTEM account when a VPN connection is started that "resets" credentials in the machine.  I am just speculating here -- If you can shed any insights you have I would be curious to know more.  Otherwise we can close this thread.

    • Marked as answer by sonyisda1 Friday, July 31, 2020 9:30 PM
    Saturday, July 25, 2020 1:05 PM
  • Hi,
    Thank you for your update and sharing. I am so glad that the probelm has been resolved.

    Do you mean the xxxx\abc should not stored in the location above?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    "Windows 10 Security" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows 10 Security"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Monday, July 27, 2020 7:37 AM
  • The only cached credential that I see under the SYSTEM account is the virtualapp/didlogic (WindowsLive)  and this is tied to some obfuscated user.  I see a different obfuscated user listed under the stored credentials of the xxxx\abc account.  I don't currently nor really care to understand the inner workings of that didlogic credential.  Seems to be some internal windows usage that a user should never need to interact with on a normal basis.
    Friday, July 31, 2020 9:34 PM