The tale of the phantom cached logon entry

Article
10/23/2012

We're logging on with smartcards to our laptops but we've recently discovered that you're also able to perform cached logons on to the laptops using a username/password combination even if you've only ever logged on using smartcards!

This is by design, smartcard logons generate a secondary logon that creates an additional lscache entry that contains NTLM credentials....*UNLESS* the 'Smartcard is required' tickbox is ticked in which case no secondary NTLM entry is created.

In fact, ticking the 'Smartcard is required' box and logging on to a laptop where username/password credentials were previously stored will clear that entry out.

Further details:
Cached User logon fails when LSASRV event 45058 indicates FIFO deletion of cached credential
http://support.microsoft.com/kb/2555663

Cached Logons and CachedLogonsCount
http://blogs.technet.com/b/instan/archive/2011/12/06/cached-logons-and-cachedlogonscount.aspx

The tale of the phantom cached logon entry

Additional resources