The tale of the phantom cached logon entry


We’re logging on with smartcards to our laptops but we’ve recently discovered that you’re also able to perform cached logons on to the laptops using a username/password combination even if you’ve only ever logged on using smartcards!

This is by design, smartcard logons generate a secondary logon that creates an additional lscache entry that contains NTLM credentials….*UNLESS* the ‘Smartcard is required’ tickbox is ticked in which case no secondary NTLM entry is created.

In fact, ticking the ‘Smartcard is required’ box and logging on to a laptop where username/password credentials were previously stored will clear that entry out.

Further details:
Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential
http://support.microsoft.com/kb/2555663

Cached Logons and CachedLogonsCount
http://blogs.technet.com/b/instan/archive/2011/12/06/cached-logons-and-cachedlogonscount.aspx

Comments (0)