This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.
Windows Credentials Disappear
I am working on a network where file sharing requires passwords. There's a mix of Windows 7, 8.1 and 10 systems.
In order to make this work, we have created Windows Credentials on the "client" computers' User profiles. These show up in Windows Credentials as Enterprise type. This seems to be working quite well.
However, I've seen cases where the "client" has had access and now can't gain access and find that they have NO Windows Credentials. This is the case even though I know the credentials were set up previously on that client computer and user profile.
Just FYI:
In some cases, the access is inter-subnet where there is no inter-subnet name service. So, naturally, we use IP Addresses. And, of course, the Windows firewall on the "server" needs to include the client subnet in the file sharing rules scopes. So this should not be an issue. Lacking this, inter-subnet file sharing won't work.
Also FYI:
It appears on the local subnet that credentials set up for [computername] do not work for [ipaddress] and vice versa.
So, if the user might access using either method, a credential for [computername] and another credential for [ipaddress] seems necessary.
Of course, for inter-subnet file sharing there can only be [ipaddress].
Because the access policies are rather strict, I need the establishment of the Windows Credentials to be robust.
I'm wondering if there is some process that might delete them automatically? Like CCleaner or ..... ?
I'm wondering if there isn't some setting or process that we're missing beyond "remember this..."?
In reading about this, I'm now wondering if the User Windows login password is changed, will that wipe out the Credentials? What I saw today had that element mixed in. And, the email pop password also seemed to be gone.
In order to make this work, we have created Windows Credentials on the "client" computers' User profiles. These show up in Windows Credentials as Enterprise type. This seems to be working quite well.
However, I've seen cases where the "client" has had access and now can't gain access and find that they have NO Windows Credentials. This is the case even though I know the credentials were set up previously on that client computer and user profile.
Just FYI:
In some cases, the access is inter-subnet where there is no inter-subnet name service. So, naturally, we use IP Addresses. And, of course, the Windows firewall on the "server" needs to include the client subnet in the file sharing rules scopes. So this should not be an issue. Lacking this, inter-subnet file sharing won't work.
Also FYI:
It appears on the local subnet that credentials set up for [computername] do not work for [ipaddress] and vice versa.
So, if the user might access using either method, a credential for [computername] and another credential for [ipaddress] seems necessary.
Of course, for inter-subnet file sharing there can only be [ipaddress].
Because the access policies are rather strict, I need the establishment of the Windows Credentials to be robust.
I'm wondering if there is some process that might delete them automatically? Like CCleaner or ..... ?
I'm wondering if there isn't some setting or process that we're missing beyond "remember this..."?
In reading about this, I'm now wondering if the User Windows login password is changed, will that wipe out the Credentials? What I saw today had that element mixed in. And, the email pop password also seemed to be gone.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Are you saying that the credentials on one of the computers are disappearing?
Are they just not visible from another computer, or are they missing from the computer that you set them up on?
After you made the user on the computer, did you log in as that user, or did you skip that step?
When you say that you are on different subnets, is one of them in a domain?
Is the other one also in the domain?
Are you doing something like this? RUN \\192.168.5.42 ENTER and seeing what comes up?
Did you make a share on the "server?"
Are they just not visible from another computer, or are they missing from the computer that you set them up on?
After you made the user on the computer, did you log in as that user, or did you skip that step?
When you say that you are on different subnets, is one of them in a domain?
Is the other one also in the domain?
Are you doing something like this? RUN \\192.168.5.42 ENTER and seeing what comes up?
Did you make a share on the "server?"
awed1: Yes. The credentials disappeared. They are missing from the computer that they were set up on.
I didn't have to "make a user", it was already there.
And, I don't know how to make credentials without that user being logged into Windows - as they are user-specific. So, we log into that user profile and set up the credentials and then generally log off.
No domains.
Yes, RUN \\[ipaddress] to see what comes up is a good way that I use often. Then you see all the shares.
Yes. Shares on the "server".
Most of this isn't new. We've been doing this now for some months without much of a hitch.
But then, overlapping this is much more frequent use of Standard User accounts, of which this was one of those on the client that lost creds. AND the user changed the Windows password which appears to have caused the loss to happen.
I didn't have to "make a user", it was already there.
And, I don't know how to make credentials without that user being logged into Windows - as they are user-specific. So, we log into that user profile and set up the credentials and then generally log off.
No domains.
Yes, RUN \\[ipaddress] to see what comes up is a good way that I use often. Then you see all the shares.
Yes. Shares on the "server".
Most of this isn't new. We've been doing this now for some months without much of a hitch.
But then, overlapping this is much more frequent use of Standard User accounts, of which this was one of those on the client that lost creds. AND the user changed the Windows password which appears to have caused the loss to happen.
Are you using static IP addresses everywhere? If not, credentials will break (but not disappear) if UP addresses change.
gilnov: Yes. Static IP addresses everywhere. So no worries about them changing. But thanks for the thought.
Hello,
if the user changes his password, the old one remains in the credential manager (and can cause account lockout, btw...), Windows will use these old credentials when connecting to the share, and, after multiple attemps, Windows will ask the user for the "good" credentials.
If the user provides the new credentials at this point AND doesn't check the "Remember this credentials" checkbox, Windows may delete the saved credentials stored in the credentials manager.
if the user changes his password, the old one remains in the credential manager (and can cause account lockout, btw...), Windows will use these old credentials when connecting to the share, and, after multiple attemps, Windows will ask the user for the "good" credentials.
If the user provides the new credentials at this point AND doesn't check the "Remember this credentials" checkbox, Windows may delete the saved credentials stored in the credentials manager.
In this case, the User doesn't have the file access login information. Of course, the Name in the login is visible to anyone looking at the credentials but the password isn't known. Just FYI.
When credentials are entered they are entered AND tested and checked for persistence.
Let's be very clear here:
If the client user changes his WIndows Logon password I don't believe that the Windows logon password is in the credential manager at all. That is, unless it's somehow tied into the encryption scheme. That last part is unclear to me.
If the "server" user changes the password attached to the username at that end, then of course the clients will all have to have credentials that match. But this isn't about that.....
Saying: "Windows will use these old credentials" implies that, even after a Windows logon password change for a User profile on a client that the credential list and contents will remain unchanged.
Oh! I sure hope so! I guess I should just try it...
Yet, it still appears that this is what happened.
Did I mention: The client user in this case (with the changed Windows logon password) is a Standard User. We have been introducing Standard Users and are gaining experience with them.
I confirmed that there is NOT a new user profile involved - which would have no credentials to start with.
I confirmed that ALL the credentials established earlier were gone.
When credentials are entered they are entered AND tested and checked for persistence.
Let's be very clear here:
If the client user changes his WIndows Logon password I don't believe that the Windows logon password is in the credential manager at all. That is, unless it's somehow tied into the encryption scheme. That last part is unclear to me.
If the "server" user changes the password attached to the username at that end, then of course the clients will all have to have credentials that match. But this isn't about that.....
Saying: "Windows will use these old credentials" implies that, even after a Windows logon password change for a User profile on a client that the credential list and contents will remain unchanged.
Oh! I sure hope so! I guess I should just try it...
Yet, it still appears that this is what happened.
Did I mention: The client user in this case (with the changed Windows logon password) is a Standard User. We have been introducing Standard Users and are gaining experience with them.
I confirmed that there is NOT a new user profile involved - which would have no credentials to start with.
I confirmed that ALL the credentials established earlier were gone.
Interesting to see that if a server has AD installed it wipes regular account passwords. Also interesting to see some versions of Windows limits the passwords to 8 char.
This post seems to have a similar fight on their hands.
http://www.w7forums.com/threads/windows-7-does-not-save-network-login-credentials-username-and-password.1621/
This post seems to have a similar fight on their hands.
http://www.w7forums.com/threads/windows-7-does-not-save-network-login-credentials-username-and-password.1621/
configterm: that's a different problem. These credentials are being saved and persist. Yet, we have seen this case where they disappeared thereafter.
gilnov: Yes I have. The consideration resulted in "no way".
gilnov: Yes I have. The consideration resulted in "no way".
gilnov: How many computers are "involved"? That's a little hard to say as there is a dispersed set of file "servers" which are each accessed by some number of clients. (And I'm about half way through the transition to tighter file access security). A couple "servers" have many clients and the others are more focused. I'd say the number of clients runs from 3 to 10 per "server". What's more interesting is how the file access is set up to save maintenance attention.
The total number of computers across 3 facilities is around 50. Some people see it strange to have such a large interconnected set of peer-to-peer networks but the configuration serves the organization well. Some believe that 5 computers demands a server-centric configuration. Others allow up to 25.
The total number of computers across 3 facilities is around 50. Some people see it strange to have such a large interconnected set of peer-to-peer networks but the configuration serves the organization well. Some believe that 5 computers demands a server-centric configuration. Others allow up to 25.
Fred,
Sorry, I am not much of an expert.
I am confused about what you are describing though.
These are Professional version OS and not Home, right?
You are setting up passwords on user accounts, ie Windows OS logon credentials, correct?
You are not setting them up in the Computer Management Console but somewhere else, correct?
Somehow the user exists, but then his credentials disappear. I don't know what you are describing.
It might be that some user has changed his name and the new user name change was not managed properly.
I have seen cases where a user name on a user account showed up as one name in one location in the OS and another name in another location. Maybe that is what you have going on.
Log into the computer as local admin.
RUN compmgmt.msc > "Local Users and Groups" : open "Users" and see if the user is listed.
If he is, right click and look to see if he has the right to change his own password.
If he isn't, then it is likely to be one of those cases where someone has at some point improperly changed the user's name.
You don't have to use the current user or even the regular user.
You can add a user account here.
I don't know if this helps in any way.
I was just trying to clarify your question so that I could understand it better.
Sorry, I am not much of an expert.
I am confused about what you are describing though.
These are Professional version OS and not Home, right?
You are setting up passwords on user accounts, ie Windows OS logon credentials, correct?
You are not setting them up in the Computer Management Console but somewhere else, correct?
Somehow the user exists, but then his credentials disappear. I don't know what you are describing.
It might be that some user has changed his name and the new user name change was not managed properly.
I have seen cases where a user name on a user account showed up as one name in one location in the OS and another name in another location. Maybe that is what you have going on.
Log into the computer as local admin.
RUN compmgmt.msc > "Local Users and Groups" : open "Users" and see if the user is listed.
If he is, right click and look to see if he has the right to change his own password.
If he isn't, then it is likely to be one of those cases where someone has at some point improperly changed the user's name.
You don't have to use the current user or even the regular user.
You can add a user account here.
I don't know if this helps in any way.
I was just trying to clarify your question so that I could understand it better.
@Fred
I've never seen credentials spontaneously disappear in any version of Windows. I can't say for sure but I suspect one or more users may be guilty of misuse, abuse or outright sabotage of the system, intentional or otherwise. And they will obfuscate, fabricate and outright lie in either case so you will never know for sure either.
I've never personally witnessed a ~50-node peer-to-peer network - anything over 5 and I recommend a domain. I'm sure I'm not telling you anything you don't know when I say that the situation you describe is exactly why domains were developed (and to a lesser extent, homegroups -- which I would also eschew in your circumstance). With credentials dispersed among different versions of Windows and on different subnets, things are bound to get tangled...unless you ban all user access to the network.
I'm sure you have your reasons for doing it the way you are so I won't ask "why" but I will say that, ultimately, you are wrestling with the cold hard fact that Windows networking was not designed to do what you are asking it to do. Kudos for getting it configured well enough to get off the ground but if I were you, I would go to the owners of the organization and tell them to purchase a real server. The cost of the hardware and license will pay for itself the first month of operation in improved efficiency not to mention security.
I've never seen credentials spontaneously disappear in any version of Windows. I can't say for sure but I suspect one or more users may be guilty of misuse, abuse or outright sabotage of the system, intentional or otherwise. And they will obfuscate, fabricate and outright lie in either case so you will never know for sure either.
I've never personally witnessed a ~50-node peer-to-peer network - anything over 5 and I recommend a domain. I'm sure I'm not telling you anything you don't know when I say that the situation you describe is exactly why domains were developed (and to a lesser extent, homegroups -- which I would also eschew in your circumstance). With credentials dispersed among different versions of Windows and on different subnets, things are bound to get tangled...unless you ban all user access to the network.
I'm sure you have your reasons for doing it the way you are so I won't ask "why" but I will say that, ultimately, you are wrestling with the cold hard fact that Windows networking was not designed to do what you are asking it to do. Kudos for getting it configured well enough to get off the ground but if I were you, I would go to the owners of the organization and tell them to purchase a real server. The cost of the hardware and license will pay for itself the first month of operation in improved efficiency not to mention security.
gilnov: Yes. I understand the thought process. In fact, the system has been working well for many years with few troubles.
Whereas, file shares have been wide open to the entire enterprise, they are now being locked down and users must have credentials installed to access what they need.
So, we are experiencing in real time how that works - albeit in a very deliberate way.
So far it's been working quite well - so I don't anticipate any real problems at this stage of evolution.
But having credentials disappear is a real nuisance.
I appreciate what you say about people. I don't have much suspicion in this case.
I'm trying to monitor when credentials disappear in order to keep track and get a sense for it.
So, if someone could say: YES..here is what can make that happen... Or, NO, that just doesn't happen normally (as you suggest), then I will be more confident.
Whereas, file shares have been wide open to the entire enterprise, they are now being locked down and users must have credentials installed to access what they need.
So, we are experiencing in real time how that works - albeit in a very deliberate way.
So far it's been working quite well - so I don't anticipate any real problems at this stage of evolution.
But having credentials disappear is a real nuisance.
I appreciate what you say about people. I don't have much suspicion in this case.
I'm trying to monitor when credentials disappear in order to keep track and get a sense for it.
So, if someone could say: YES..here is what can make that happen... Or, NO, that just doesn't happen normally (as you suggest), then I will be more confident.
@Fred
I'm not saying it's impossible that the credentials are vanishing on their own or that there isn't some piece of software (or multiple pieces) that are causing them to vanish. There is LOTS of software in the world. But, until we identify the cause, we're stuck proving a negative. It's impossible to rule out EVERY piece of software as the culprit because it could be a virus. And while you don't suspect your users, it could be a outside attacker.
Speaking of human suspects, my users break (sabotage) things all the time without even realizing it...and so do yours! It's not a matter of suspicion as much as it is a fact of life. Monitoring should turn up what's going on in short order though so happy hunting.
I'm not saying it's impossible that the credentials are vanishing on their own or that there isn't some piece of software (or multiple pieces) that are causing them to vanish. There is LOTS of software in the world. But, until we identify the cause, we're stuck proving a negative. It's impossible to rule out EVERY piece of software as the culprit because it could be a virus. And while you don't suspect your users, it could be a outside attacker.
Speaking of human suspects, my users break (sabotage) things all the time without even realizing it...and so do yours! It's not a matter of suspicion as much as it is a fact of life. Monitoring should turn up what's going on in short order though so happy hunting.
awed1: Sorry, I missed your last post temporarily. If you type in the search box at Start:
cred
You will get a list that includes Windows Credentials - select that one.
There you will see a list of Windows Credentials that have been set up.
These so NOT include the User Profile Windows Logon. The User Profile Windows Logon is not so much the issue here - except it appears that it affects what you see on this page IF you change the Windows logon password.
The Credentials you see here are to access other computer's files primarily or perhaps to use Remote Desktop. They are specific to the local user and are specific to the target computer and application or file folder. That's my simple view of this.
cred
You will get a list that includes Windows Credentials - select that one.
There you will see a list of Windows Credentials that have been set up.
These so NOT include the User Profile Windows Logon. The User Profile Windows Logon is not so much the issue here - except it appears that it affects what you see on this page IF you change the Windows logon password.
The Credentials you see here are to access other computer's files primarily or perhaps to use Remote Desktop. They are specific to the local user and are specific to the target computer and application or file folder. That's my simple view of this.
IT HAPPENED AGAIN! Different site, different computer, different user, same apparent cause.
The User Profile Windows Logon Password was changed and all the Windows Credentials for other computers were deleted. Or, if you don't believe that then you could say that they mysteriously disappeared just after the password change.
There has to be an explanation for this. I still rather think it's tied up with Kerberos or some similar thing.
What I'd like is a registry edit to stop this from happening.
The notion of a script comes to mind but there are security issues surrounding that idea - so I'd rather not go there right now.
The User Profile Windows Logon Password was changed and all the Windows Credentials for other computers were deleted. Or, if you don't believe that then you could say that they mysteriously disappeared just after the password change.
There has to be an explanation for this. I still rather think it's tied up with Kerberos or some similar thing.
What I'd like is a registry edit to stop this from happening.
The notion of a script comes to mind but there are security issues surrounding that idea - so I'd rather not go there right now.
Have you looked at a place like this?
It has information about what you describe.
https://support.microsoft.com/en-us/kb/2845626
It has information about what you describe.
https://support.microsoft.com/en-us/kb/2845626
Somehow on reading your description, I missed you saying that it takes place when you change the user's logon password.
So the problem is repeatable. Now that's something we can chew on! Did the two computers where credentials vanished have the same or different versions of Windows?
Well, I think we need to take all of this with a bit of skepticism but nonetheless:
I don't know that we can say the problem is repeatable. The problem occurred on more than one computer is all that we know.
2 are up-to-date Windows 7 Pro
1 is Windows 10 Pro
In the meantime, I have experimented with one of my own Win7 Pro workstations with both an Administrative User and a Standard User. In neither case did the Credentials disappear..... They survived a password change and a reboot.
I don't know that we can say the problem is repeatable. The problem occurred on more than one computer is all that we know.
2 are up-to-date Windows 7 Pro
1 is Windows 10 Pro
In the meantime, I have experimented with one of my own Win7 Pro workstations with both an Administrative User and a Standard User. In neither case did the Credentials disappear..... They survived a password change and a reboot.
Fred,
Did you read that KB article?
It described the problem that you describe.
It makes sense that some computers would have the problem and other's wouldn't as well.
Some may have the appropriate patch and others may not.
https://support.microsoft.com/en-us/kb/2845626
Thanks,
B.
Did you read that KB article?
It described the problem that you describe.
It makes sense that some computers would have the problem and other's wouldn't as well.
Some may have the appropriate patch and others may not.
https://support.microsoft.com/en-us/kb/2845626
Thanks,
B.
I have now tried two more computers. These had lost their Credentials during a Windows logon password change. I changed their passwords and DID NOT lose the credentials .. rebooting at each step. I don't have a platform to try anything on.
I hate to sound like a broken record, Fred, but if I were bidding this as a consulting gig, I would strongly recommend a domain. You mentioned earlier that the distributed credentials model has worked fine for years but what has changed is that you are trying to implement access controls on your network. That is going to be very difficult with distributed credentials. The way I see it, you'll either continue to struggle with disappearing credentials or have to learn a new way of doing things. You're going to be exiting the comfort zone one way or the other.
gilnov: I don't doubt your recommendation for a minute! On the other hand I'm finding that this new approach is much easier to work with than the old one. The old one was wide open and full of surprises. We would "tweak" until we could get it to work and then leave it alone. The new approach is easy to set up and easy to manage albeit perhaps more tedious than centralized management. But it lacks the uncertainties. The lost Credentials is likely a transient that will disappear with time. Yet, I try to learn as much as I can about things like this.
It makes me wonder how much real experience there is for doing something like this? I realize that's a disadvantage if one needs advice. I can already tell the difference between a system that has matched users and unmatched passwords that doesn't require passwords, a system that doesn't require passwords, and a system that requires passwords and has no credentials. Perhaps it was my ignorance but because of the subtle differences I had *no* idea in the past.
Maybe we'll get a system that consistently fails and figure out why.
It makes me wonder how much real experience there is for doing something like this? I realize that's a disadvantage if one needs advice. I can already tell the difference between a system that has matched users and unmatched passwords that doesn't require passwords, a system that doesn't require passwords, and a system that requires passwords and has no credentials. Perhaps it was my ignorance but because of the subtle differences I had *no* idea in the past.
Maybe we'll get a system that consistently fails and figure out why.
Lucas: I initially thought your response was correct but "not my problem" - because it actually isn't. But you made a very good point. So I should mention: In order to avoid this, I'm using user profiles for file sharing that are NEVER used as Windows logon profiles. And, the credentials are installed in user profiles with their not having the information in them. This way, users can change their own passwords without perturbing file access of others and, at the same time, access is controlled.
If that's not clear, it works like this:
A "file server / workstation" has a number of user profiles set up. Some are for human and infrastructure Administrator Users, some are for human Standard Users and some are for file sharing only (non-human). The file sharing users are given permissions on the "file server" shared folders. Those same logon parameters are installed as Credentials in other computers/user profiles.
So, the "workstation" aspect of the "file server / workstation" is independent of the "file server" aspect of the "file server / workstation". Password change rules can then be flexible without perturbing other setups.
If that's not clear, it works like this:
A "file server / workstation" has a number of user profiles set up. Some are for human and infrastructure Administrator Users, some are for human Standard Users and some are for file sharing only (non-human). The file sharing users are given permissions on the "file server" shared folders. Those same logon parameters are installed as Credentials in other computers/user profiles.
So, the "workstation" aspect of the "file server / workstation" is independent of the "file server" aspect of the "file server / workstation". Password change rules can then be flexible without perturbing other setups.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial