Stop Worrying and Love the Outage, Vol III: Cached Logons
This is the third article in a series:
Stop Worrying and Love the Outage, Vol I: Group Policy and Sharing Violations
Stop Worrying and Love the Outage, Vol II: DCs, custom ports, and Firewalls/ACLs
Hello, Chris Cartwright here from the Directory Services support team. This is the third post in a series where I try to provide the IT community with some tools and verbiage that will hopefully save you and your business many hours, dollars, and frustrations. Occasionally, we get cases for users working remotely that are unable to log on with a message that the domain is not available. More often than not, this is caused by an overly enthusiastic Cached Logon configuration.
The setting:
The “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” policy setting controls whether cached account information can be used to sign in to a Windows domain. When a user signs in to a domain account, the sign-in information can be stored locally so that, if a domain controller is unreachable later, the user can still sign in. If a user’s credentials are not cached, you should get one of the following errors:
There are currently no logon servers available to service the logon request.
We can’t sign you in with this credential because your domain isn’t available. Make sure your device is connected to your organization’s network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
The domain specified is not available. Please try again later.
This policy setting specifies how many different users’ sign-in information can be kept locally, but it leaves out some rather important details like:
Cached logon is based on the method used for logon. Smart card (per issuer), passwords, and Windows Hello logons have their own cache entry per user.
You cannot cache a new entry without line of sight to a Domain Controller.
New smart cards require a new entry and will overwrite an existing one if from same issuer.
Service accounts also have their own entry
By default, the number of cached logons setting is set to a value of 10, which is generally high enough for most organizations. The security risk for this setting is based on use/abuse of the cached credentials by bad actors. Security is a balancing act.
Consider the following points as well:
“The Windows security baselines don’t recommend configuring [the number of previously cached logons].”
“…the server overwrites the oldest cached sign-in session.”
“Users can’t sign in to any devices if there’s no domain controller available to authenticate them.”
So, when your compliance team comes in and tells you to set this to lower values, especially 1 or 0, make sure you know your environment. Issues from miscalculating this cache value range from remote users being unable to log on to (worst case) data loss. After reading this, I hope in future conversations you feel better armed to respond with the potential risks associated with this setting and can avoid this kind of outage without having to learn the hard way!
References:
Cached domain logon information – Windows Server | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More