WinNT authentication does not use cached domain credentials

Troubleshooting

WinNT authentication does not use cached domain credentials

Postby solymosi » 27 Jul 2018, 14:47

Using LM-Server 4.8 (4886) and LM-Viewer 4.8 (4886).

We are using WinNT authentication with domain credentials to sign in to machines in our organization. We also have the "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" GPO setting enabled on our notebooks. This way users can log on even if they are using their machines off-site and have no access to the domain controller.

See the following for more info:
https://docs.microsoft.com/en-us/window ... -available

The problem we have observed is that as soon as a machine is disconnected from the domain network, all domain authentication via LM-Server starts failing, even for domain users who have their local credentials cached (which we know because those users can still log in to the machine locally). The security log shows a logon error with the code 0xc000005e which stands for "there are no logon servers to service the request". However, as soon as the user at the machine connects to our VPN (= the domain controller becomes available), login with LM-Server NT authentication works again.

The root cause seems to be that LM-Server uses "network authentication" with NtLmSsp for WinNT authentication (which does NOT use cached credentials) instead of some form of "interactive logon" (which uses cached credentials).

We did not have this problem with the "Windows authentication" feature of TeamViewer. That one seemed to use "interactive logon" for WinNT authentication.

Steps to reproduce:

1. Assume a PC running LM-Server which is part of an Active Directory domain which has the "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" GPO setting enabled.
2. Ensure that the PC is connected to the domain network and log on and off as a domain user to make sure the credentials get cached.
3. While still connected to the domain network, log on to the PC remotely with LM-Viewer using domain credentials, to test that WinNT authentication works.
4. Disconnect from the domain network and reboot the PC.
5. Try logging in locally to the PC with the domain credentials. It should work (using the cached credentials).
6. Try logging in with LM-Viewer. The WinNT authentication will fail, and a security failure will be logged to the event log with the code 0xc000005e.

Expected behavior: the login with LM-Viewer continues to work (using the cached credentials), even after disconnecting from the domain network.

Is there are workaround for this problem? We cannot roll out LiteManager in our organization unless the WinNT authentication in LM-Server can be made to use cached domain credentials.

---------

UPDATE:

After further investigation it seems like that the cached domain credentials are only used when the LogonUser WinAPI function is called with the LOGON32_LOGON_INTERACTIVE logon type. Using LOGON32_LOGON_NETWORK while being outside the domain network results in error code 1311 which stands for "there are no logon servers to service the request".

Ideally, LM-Server should have a setting for choosing between "network" and "interactive" logon, similarly to how the Bitvise SSH server does it:
https://www.bitvise.com/wug-logontype
solymosi
 
Posts: 2
Joined: 27 Jul 2018, 14:14

Re: WinNT authentication does not use cached domain credenti

Postby admin » 29 Jul 2018, 08:47

Hi Solymosi !
You must be very clever/smart man, I'm really impressed of yours comment.

We add additional option for WinNT security (SSPI), flags LOGON32_LOGON_BATCH, LOGON32_LOGON_INTERACTIVE ,LOGON32_LOGON_NETWORK
I'm not sure that it will work, because it's not a simple task.

Please test it, new LMServer's files, just download and replace it , (stop LM Server before)
http://litemanager.ru/bug_test/ROMServer2.zip
This is clear files, don't worry if your AV notify about the threat, all clear.

Hope together we solve the problem
Authorization settings
sspi.png
sspi.png (19.85 KiB) Viewed 118 times
Best Regards LiteManagerTeam
admin
Администратор
 
Posts: 209
Joined: 07 Jun 2010, 13:19

Re: WinNT authentication does not use cached domain credenti

Postby admin » 30 Jul 2018, 08:15

Please don't hesitate to contact me support@litemanager.com
Best Regards LiteManagerTeam
admin
Администратор
 
Posts: 209
Joined: 07 Jun 2010, 13:19

Re: WinNT authentication does not use cached domain credenti

Postby solymosi » 05 Aug 2018, 11:51

admin wrote:Please test it, new LMServer's files, just download and replace it , (stop LM Server before)
http://litemanager.ru/bug_test/ROMServer2.zip
This is clear files, don't worry if your AV notify about the threat, all clear.


Thank you for the fast response and the updated version! We will test it in the next few days and see if it works.
solymosi
 
Posts: 2
Joined: 27 Jul 2018, 14:14


Return to LiteManager: Support

Who is online

Users browsing this forum: No registered users and 3 guests

cron