I had a very interesting escalation last week:
We want to require our users to log on to our Windows 7 workstations with smartcards when they are connected to the corporate network but we also want to allow them to logon using their previous username/password combination when offline.
This isn’t working quite as we expected, the users aren’t able to log on offline with their old password.
I did some research on this and determined the following:
What the customer is describing (and their desired end-result) is the original behaviour for cached logons when smartcards are required for a user.
When the box is ticked the password of the user is set to a random password (since W2k3) and the user isn’t able to do an online logon using the old password.
IF the user had previously successfully logged on to a workstation with their old username/password combination and didn’t attempt a new logon however – the old entry in the LSA cache wasn’t purged.
This meant that the user was able to log on to their workstation while offline using their old username/password combination.
However, there was a design change to the LSA cache code back in Windows XP in http://support.microsoft.com/kb/906681 which changed the caching behavior so that if a user successfully performs an online logon using a smartcard *and* the ‘Smart Card is required for interactive logon’ option is set for that user then all cached username/password entries for that user are purged from the LSA cache.
This means that the next time the user logs on whle on the corporate network using a smartcard after you tick the ‘Smart Card is required for interactive logon’ option for the user – all username/password entries for that user are purged from the local LSA cache and that user will not be able to log on offline using their previously cached username/password credentials.
The change in KB906681 was a customer-initiated change request to the Windows XP code that is also present in Vista and Windows 7.
A user can log on to a Windows XP-based computer by using a user name and a password, even though the “Smart card is required for interactive logon” user account property is set