Watching out for cached credentials !

During an investigation into problems when remote machines belonging to a client appeared not to be able to authenticate correctly with a domain controller across VPN links over adsl and a recently introduced leased line – some useful points were raised.

1) Is your provider blocking any traffic ?

After recently putting in a leased line from a service provider in the UK – the question was raised – are they blocking any ports or traffic ? Well even though you may get reassurances from the provider – you may wish to prove it to yourself. Using a port scanner you can check from the client to the remote DC if the ports your require access to for example 139 etc are available over the connection. Do a full port scan not just a quick one !!

2) are your clients / software using netbios

If you are using a router such as the Draytek 3300 for a leased line connection – ensure that your PC’s or other devices are not using raw Netbios since the Vigor and other routers will not carry the Netbios broadcasts across the VPN links – So check that netbios over tcpip is active through the network connection settings on both server and clients ( especially non pc devices such as timeclocks )

3) Are there issues preventing the remote pc from actually trying to login each time you start it up?

Are you logging in using cached credentials ?

some MS info ….

Functionality that cached domain credentials provide

Cached domain credentials provide the following functionality:

• Single Sign-On

Single Sign-On (SSO) uses the credentials that are collected during an interactive domain logon to let the user authenticate to a network one time. Thereafter, the user has access to all the authorized network resources without providing credentials again. These network resources may range from hardware devices to programs, files, and other types of data. All these resources may be spread throughout an enterprise on servers of various types. The resources may be in different domains or may be on different operating systems.

• Access to machine resources when a domain controller is unavailable

After a successful domain logon, a form of the logon information is cached. Later, a user can log on to the computer by using the domain account, even if the domain controller that authenticated the user is unavailable. Because the user has already been authenticated, Windows uses the cached credentials to log the user on locally. For example, suppose a mobile user uses a domain account to log on to a laptop that is joined to a domain. Then, the user takes the laptop to a location where the domain is unavailable. In this scenario, Windows uses the cached credentials from the last logon to log the user on locally and to allocate access to local computer resources.


The issues that relate to logging in successfully to a domain controller and getting access to AD controlled folders and resources can be reasonably tricky to track down. You may find you cannot get access to an exchange server or shared folders or printers and that you may also be unable to drop a machine off or join a machine to a domain.

Tip : create an ad user that has never logged on to the machine you are having problems with. Log on to the machine and verify if you can access AD resources such as shares using the run servername command to see the shares. If it fails or asks for username verification – suspect cached credentials and check that you do not have for example drive mappings or shares from servers which no longer exist. Delete them with the net use /delete command !!!! and then reboot machine.

Tip :

Use nslookup to verify access to the machines primary DNS server. Verify other machine names on other subnets as well as the one you are on. Check that the DNS contains the same forward and backward zone entries for your machne IP address !!


Try change the machines IP address and its name to something different (and unique) on the subnet and ensure that you can complete the operation. Errors relating to usernames not being found when accessing the domain to authenticate can point to issues above with “leftover” shares and permissions which you should delete using the net use /delete driveletter: command – replace driverletter with your mapped drive letter.