Windows Credentials Disappear

Fred Marshall
Fred Marshall used Ask the Experts™
on
I am working on a network where file sharing requires passwords.  There's a mix of Windows 7, 8.1 and 10 systems.
In order to make this work, we have created Windows Credentials on the "client" computers' User profiles.  These show up in Windows Credentials as Enterprise type.  This seems to be working quite well.

However, I've seen cases where the "client" has had access and now can't gain access and find that they have NO Windows Credentials.  This is the case even though I know the credentials were set up previously on that client computer and user profile.

Just FYI:
In some cases, the access is inter-subnet where there is no inter-subnet name service.  So, naturally, we use IP Addresses.  And, of course, the Windows firewall on the "server" needs to include the client subnet in the file sharing rules scopes.  So this should not be an issue.  Lacking this, inter-subnet file sharing won't work.

Also FYI:
It appears on the local subnet that credentials set up for [computername] do not work for [ipaddress] and vice versa.
So, if the user might access using either method, a credential for [computername] and another credential for [ipaddress] seems necessary.
Of course, for inter-subnet file sharing there can only be [ipaddress].

Because the access policies are rather strict, I need the establishment of the Windows Credentials to be robust.  
I'm wondering if there is some process that might delete them automatically?  Like CCleaner or ..... ?
I'm wondering if there isn't some setting or process that we're missing beyond "remember this..."?

In reading about this, I'm now wondering if the User Windows login password is changed, will that wipe out the Credentials?  What I saw today had that element mixed in.  And, the email pop password also seemed to be gone.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Are you saying that the credentials on one of the computers are disappearing?
Are they just not visible from another computer, or are they missing from the computer that you set them up on?
After you made the user on the computer, did you log in as that user, or did you skip that step?

When you say that you are on different subnets, is one of them in a domain?
Is the other one also in the domain?

Are you doing something like this? RUN \\192.168.5.42 ENTER and seeing what comes up?

Did you make a share on the "server?"

Author

Commented:
awed1: Yes.  The credentials disappeared.  They are missing from the computer that they were set up on.
I didn't have to "make a user", it was already there.
And, I don't know how to make credentials without that user being logged into Windows - as they are user-specific.  So, we log into that user profile and set up the credentials and then generally log off.

No domains.

Yes, RUN \\[ipaddress] to see what comes up is a good way that I use often.  Then you see all the shares.  

Yes.  Shares on the "server".

Most of this isn't new.  We've been doing this now for some months without much of a hitch.
But then, overlapping this is much more frequent use of Standard User accounts, of which this was one of those on the client that lost creds.  AND the user changed the Windows password which appears to have caused the loss to happen.
gilnovSystems Administrator
Commented:
Are you using static IP addresses everywhere? If not, credentials will break (but not disappear) if UP addresses change.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

gilnovSystems Administrator

Commented:
*IP addresses

Author

Commented:
gilnov:  Yes.  Static IP addresses everywhere.  So no worries about them changing.  But thanks for the thought.
Commented:
Hello,

if the user changes his password, the old one remains in the credential manager (and can cause account lockout, btw...), Windows will use these old credentials when connecting to the share, and, after multiple attemps, Windows will ask the user for the "good" credentials.

If the user provides the new credentials at this point AND doesn't check the "Remember this credentials" checkbox, Windows may delete the saved credentials stored in the credentials manager.

Author

Commented:
In this case, the User doesn't have the file access login information.  Of course, the Name in the login is visible to anyone looking at the credentials but the password isn't known.  Just FYI.

When credentials are entered they are entered AND tested and checked for persistence.

Let's be very clear here:

If the client user changes his WIndows Logon password I don't believe that the Windows logon password is in the credential manager at all.  That is, unless it's somehow tied into the encryption scheme.  That last part is unclear to me.

If the "server" user changes the password attached to the username at that end, then of course the clients will all have to have credentials that match.  But this isn't about that.....

Saying: "Windows will use these old credentials" implies that, even after a Windows logon password change for a User profile on a client that the credential list and contents will remain unchanged.  
Oh!  I sure hope so!  I guess I should just try it...
Yet, it still appears that this is what happened.

Did I mention: The client user in this case (with the changed Windows logon password) is a Standard User.  We have been introducing Standard Users and are gaining experience with them.

I confirmed that there is NOT a new user profile involved - which would have no credentials to start with.

I confirmed that ALL the credentials established earlier were gone.
Interesting to see that if a server has AD installed it wipes regular account passwords.  Also interesting to see some versions of Windows limits the passwords to 8 char.

This post seems to have a similar fight on their hands.
http://www.w7forums.com/threads/windows-7-does-not-save-network-login-credentials-username-and-password.1621/
gilnovSystems Administrator

Commented:
Have you considered creating a home group?

Author

Commented:
configterm:  that's a different problem.  These credentials are being saved and persist.  Yet, we have seen this case where they disappeared thereafter.

gilnov: Yes I have.  The consideration resulted in "no way".
gilnovSystems Administrator

Commented:
How many computers are involved?

Author

Commented:
gilnov:  How many computers are "involved"?  That's a little hard to say as there is a dispersed set of file "servers" which are each accessed by some number of clients.  (And I'm about half way through the transition to tighter file access security).  A couple "servers" have many clients and the others are more focused.  I'd say the number of clients runs from 3 to 10 per "server".  What's more interesting is how the file access is set up to save maintenance attention.

The total number of computers across 3 facilities is around 50.  Some people see it strange to have such a large interconnected set of peer-to-peer networks but the configuration serves the organization well.  Some believe that 5 computers demands a server-centric configuration.  Others allow up to 25.

Commented:
Fred,

Sorry, I am not much of an expert.
I am confused about what you are describing though.

These are Professional version OS and not Home, right?

You are setting up passwords on user accounts, ie Windows OS logon credentials, correct?

You are not setting them up in the Computer Management Console but somewhere else, correct?

Somehow the user exists, but then his credentials disappear. I don't know what you are describing.

It might be that some user has changed his name and the new user name change was not managed properly.
I have seen cases where a user name on a user account showed up as one name in one location in the OS and another name in another location. Maybe that is what you have going on.
Log into the computer as local admin.
RUN compmgmt.msc  > "Local Users and Groups" : open "Users" and see if the user is listed.
If he is, right click and look to see if he has the right to change his own password.
If he isn't, then it is likely to be one of those cases where someone has at some point improperly changed the user's name.

You don't have to use the current user or even the regular user.
You can  add a user account here.

I don't know if this helps in any way.
I was just trying to clarify your question so that I could understand it better.
gilnovSystems Administrator
Commented:
@Fred
I've never seen credentials spontaneously disappear in any version of Windows. I can't say for sure but I suspect one or more users may be guilty of misuse, abuse or outright sabotage of the system, intentional or otherwise. And they will obfuscate, fabricate and outright lie in either case so you will never know for sure either.

I've never personally witnessed a ~50-node peer-to-peer network - anything over 5 and I recommend a domain. I'm sure I'm not telling you anything you don't know when I say that the situation you describe is exactly why domains were developed (and to a lesser extent, homegroups -- which I would also eschew in your circumstance). With credentials dispersed among different versions of Windows and on different subnets, things are bound to get tangled...unless you ban all user access to the network.

I'm sure you have your reasons for doing it the way you are so I won't ask "why" but I will say that, ultimately, you are wrestling with the cold hard fact that Windows networking was not designed to do what you are asking it to do. Kudos for getting it configured well enough to get off the ground but if I were you, I would go to the owners of the organization and tell them to purchase a real server. The cost of the hardware and license will pay for itself the first month of operation in improved efficiency not to mention security.

Author

Commented:
gilnov:  Yes.  I understand the thought process.  In fact, the system has been working well for many years with few troubles.

Whereas, file shares have been wide open to the entire enterprise, they are now being locked down and users must have credentials installed to access what they need.
So, we are experiencing in real time how that works - albeit in a very deliberate way.
So far it's been working quite well - so I don't anticipate any real problems at this stage of evolution.
But having credentials disappear is a real nuisance.

I appreciate what you say about people.  I don't have much suspicion in this case.  
I'm trying to monitor when credentials disappear in order to keep track and get a sense for it.
So, if someone could say: YES..here is what can make that happen...  Or, NO, that just doesn't happen normally (as you suggest), then I will be more confident.
gilnovSystems Administrator

Commented:
@Fred
I'm not saying it's impossible that the credentials are vanishing on their own or that there isn't some piece of software (or multiple pieces) that are causing them to vanish. There is LOTS of software in the world. But, until we identify the cause, we're stuck proving a negative. It's impossible to rule out EVERY piece of software as the culprit because it could be a virus. And while you don't suspect your users, it could be a outside attacker.

Speaking of human suspects, my users break (sabotage) things all the time without even realizing it...and so do yours! It's not a matter of suspicion as much as it is a fact of life. Monitoring should turn up what's going on in short order though so happy hunting.

Author

Commented:
awed1:  Sorry, I missed your last post temporarily.  If you type in the search box at Start:
cred
You will get a list that includes Windows Credentials - select that one.
There you will see a list of Windows Credentials that have been set up.  
These so NOT include the User Profile Windows Logon.  The User Profile Windows Logon is not so much the issue here - except it appears that it affects what you see on this page IF you change the Windows logon password.
The Credentials you see here are to access other computer's files primarily or perhaps to use Remote Desktop.  They are specific to the local user and are specific to the target computer and application or file folder.  That's my simple view of this.

Author

Commented:
IT HAPPENED AGAIN!  Different site, different computer, different user, same apparent cause.
The User Profile Windows Logon Password was changed and all the Windows Credentials for other computers were deleted.  Or, if you don't believe that then you could say that they mysteriously disappeared just after the password change.

There has to be an explanation for this.  I still rather think it's tied up with Kerberos or some similar thing.

What I'd like is a registry edit to stop this from happening.
The notion of a script comes to mind but there are security issues surrounding that idea - so I'd rather not go there right now.
Commented:
Have you looked at a place like this?
It has information about what you describe.
https://support.microsoft.com/en-us/kb/2845626

Commented:
Somehow on reading your description, I missed you saying that it takes place when you change the user's logon password.
gilnovSystems Administrator

Commented:
So the problem is repeatable. Now that's something we can chew on! Did the two computers where credentials vanished have the same or different versions of Windows?
gilnovSystems Administrator

Commented:
And what version(s) of Windows did they have?

Author

Commented:
Well, I think we need to take all of this with a bit of skepticism but nonetheless:
I don't know that we can say the problem is repeatable.  The problem occurred on more than one computer is all that we know.
2 are up-to-date Windows 7 Pro
1 is Windows 10 Pro

In the meantime, I have experimented with one of my own  Win7 Pro workstations with both an Administrative User and a Standard User.  In neither case did the Credentials disappear.....  They survived a password change and a reboot.
Commented:
Fred,

Did you read that KB article?
It described the problem that you describe.
It makes sense that some computers would have the problem and other's wouldn't as well.
Some may have the appropriate patch and others may not.
https://support.microsoft.com/en-us/kb/2845626 
Thanks,
B.

Author

Commented:
I have now tried two more computers.  These had lost their Credentials during a Windows logon password change.  I changed their passwords and DID NOT lose the credentials .. rebooting at each step.  I don't have a platform to try anything on.
gilnovSystems Administrator

Commented:
I hate to sound like a broken record, Fred, but if I were bidding this as a consulting gig, I would strongly recommend a domain. You mentioned earlier that the distributed credentials model has worked fine for years but what has changed is that you are trying to implement  access controls on your network. That is going to be very difficult with distributed credentials. The way I see it, you'll either continue to struggle with disappearing credentials or have to learn a new way of doing things. You're going to be exiting the comfort zone one way or the other.

Author

Commented:
gilnov:  I don't doubt your recommendation for a minute!  On the other hand I'm finding that this new approach is much easier to work with than the old one.  The old one was wide open and full of surprises.  We would "tweak" until we could get it to work and then leave it alone.  The new approach is easy to set up and easy to manage albeit perhaps more tedious than centralized management.  But it lacks the uncertainties.  The lost Credentials is likely a transient that will disappear with time.  Yet, I try to learn as much as I can about things like this.

It makes me wonder how much real experience there is for doing something like this?  I realize that's a disadvantage if one needs advice.  I can already tell the difference between a system that has matched users and unmatched passwords that doesn't require passwords, a system that doesn't require passwords, and a system that requires passwords and has no credentials.  Perhaps it was my ignorance but because of the subtle differences I had *no* idea in the past.

Maybe we'll get a system that consistently fails and figure out why.

Author

Commented:
Lucas:  I initially thought your response was correct but "not my problem" - because it actually isn't.  But you made a very good point.  So I should mention: In order to avoid this, I'm using user profiles for file sharing that are NEVER used as Windows logon profiles.  And, the credentials are installed in user profiles with their not having the information in them.  This way, users can change their own passwords without perturbing file access of others and, at the same time, access is controlled.

If that's not clear, it works like this:
A "file server / workstation" has a number of user profiles set up.  Some are for human and infrastructure Administrator Users, some are for human Standard Users and some are for file sharing only (non-human).  The file sharing users are given permissions on the "file server" shared folders.  Those same logon parameters are installed as Credentials in other computers/user profiles.
So, the "workstation" aspect of the "file server / workstation" is independent of the "file server" aspect of the "file server / workstation".  Password change rules can then be flexible without perturbing other setups.

Author

Commented:
Thanks all!
gilnovSystems Administrator

Commented:
Godspeed, Fred. I hope it works out for you in the end.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial