WinNT authentication does not use cached domain credentials

Troubleshooting

WinNT authentication does not use cached domain credentials

Postby solymosi » 27 Jul 2018, 14:47

Using LM-Server 4.8 (4886) and LM-Viewer 4.8 (4886).

We are using WinNT authentication with domain credentials to sign in to machines in our organization. We also have the "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" GPO setting enabled on our notebooks. This way users can log on even if they are using their machines off-site and have no access to the domain controller.

See the following for more info:
https://docs.microsoft.com/en-us/window ... -available

The problem we have observed is that as soon as a machine is disconnected from the domain network, all domain authentication via LM-Server starts failing, even for domain users who have their local credentials cached (which we know because those users can still log in to the machine locally). The security log shows a logon error with the code 0xc000005e which stands for "there are no logon servers to service the request". However, as soon as the user at the machine connects to our VPN (= the domain controller becomes available), login with LM-Server NT authentication works again.

The root cause seems to be that LM-Server uses "network authentication" with NtLmSsp for WinNT authentication (which does NOT use cached credentials) instead of some form of "interactive logon" (which uses cached credentials).

We did not have this problem with the "Windows authentication" feature of TeamViewer. That one seemed to use "interactive logon" for WinNT authentication.

Steps to reproduce:

1. Assume a PC running LM-Server which is part of an Active Directory domain which has the "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" GPO setting enabled.
2. Ensure that the PC is connected to the domain network and log on and off as a domain user to make sure the credentials get cached.
3. While still connected to the domain network, log on to the PC remotely with LM-Viewer using domain credentials, to test that WinNT authentication works.
4. Disconnect from the domain network and reboot the PC.
5. Try logging in locally to the PC with the domain credentials. It should work (using the cached credentials).
6. Try logging in with LM-Viewer. The WinNT authentication will fail, and a security failure will be logged to the event log with the code 0xc000005e.

Expected behavior: the login with LM-Viewer continues to work (using the cached credentials), even after disconnecting from the domain network.

Is there are workaround for this problem? We cannot roll out LiteManager in our organization unless the WinNT authentication in LM-Server can be made to use cached domain credentials.

---------

UPDATE:

After further investigation it seems like that the cached domain credentials are only used when the LogonUser WinAPI function is called with the LOGON32_LOGON_INTERACTIVE logon type. Using LOGON32_LOGON_NETWORK while being outside the domain network results in error code 1311 which stands for "there are no logon servers to service the request".

Ideally, LM-Server should have a setting for choosing between "network" and "interactive" logon, similarly to how the Bitvise SSH server does it:
https://www.bitvise.com/wug-logontype
solymosi
 
Posts: 5
Joined: 27 Jul 2018, 14:14

Re: WinNT authentication does not use cached domain credenti

Postby admin » 29 Jul 2018, 08:47

Hi Solymosi !
You must be very clever/smart man, I'm really impressed of yours comment.

We add additional option for WinNT security (SSPI), flags LOGON32_LOGON_BATCH, LOGON32_LOGON_INTERACTIVE ,LOGON32_LOGON_NETWORK
I'm not sure that it will work, because it's not a simple task.

Please test it, new LMServer's files, just download and replace it , (stop LM Server before)
http://litemanager.ru/bug_test/ROMServer2.zip
This is clear files, don't worry if your AV notify about the threat, all clear.

Hope together we solve the problem
Authorization settings
sspi.png
sspi.png (19.85 KiB) Viewed 2957 times
Best Regards LiteManagerTeam
admin
Администратор
 
Posts: 266
Joined: 07 Jun 2010, 13:19

Re: WinNT authentication does not use cached domain credenti

Postby admin » 30 Jul 2018, 08:15

Please don't hesitate to contact me support@litemanager.com
Best Regards LiteManagerTeam
admin
Администратор
 
Posts: 266
Joined: 07 Jun 2010, 13:19

Re: WinNT authentication does not use cached domain credenti

Postby solymosi » 05 Aug 2018, 11:51

admin wrote:Please test it, new LMServer's files, just download and replace it , (stop LM Server before)
http://litemanager.ru/bug_test/ROMServer2.zip
This is clear files, don't worry if your AV notify about the threat, all clear.


Thank you for the fast response and the updated version! We will test it in the next few days and see if it works.
solymosi
 
Posts: 5
Joined: 27 Jul 2018, 14:14

Re: WinNT authentication does not use cached domain credenti

Postby solymosi » 09 Dec 2018, 00:45

admin wrote:We add additional option for WinNT security (SSPI), flags LOGON32_LOGON_BATCH, LOGON32_LOGON_INTERACTIVE ,LOGON32_LOGON_NETWORK
I'm not sure that it will work, because it's not a simple task.


Unfortunately none of the options worked - in particular, choosing LOGON32_LOGON_INTERACTIVE did not result in the cached credentials being used. I am not sure exactly why though, it might just have been a configuration issue: I noticed that a server restart sometimes caused the login type setting to reset to a blank value in the settings dialog box. Most interestingly, there was no difference in the events reported in the security event log: even when set to LOGON32_LOGON_INTERACTIVE, Windows still reported the logins as network login attempts.

Here are the steps I followed:

1. Log in to the target account locally to make sure the credentials are cached.
2. Disconnect the machine from the domain.
3. Reboot the machine.
4. Log in locally to make sure interactive login works with the cached credentials.
5. Try logging remotely via LiteManager (server and client version = 4886); it fails as expected
6. Replace the server binaries with the test version provided by you
7. Go to the settings, select the LOGON32_LOGON_INTERACTIVE setting, save the settings
8. Restart the server and go back to the settings to make sure the configuration got saved properly.
9. If it was, try logging in remotely again (server = test build; client version = 4886)
10. Login failed
solymosi
 
Posts: 5
Joined: 27 Jul 2018, 14:14

Re: WinNT authentication does not use cached domain credenti

Postby admin » 11 Dec 2018, 10:10

check it with 4.9
http://litemanager.com/soft/litemanager_4.9.zip

Some additional info
https://docs.microsoft.com/en-us/window ... logonusera

LOGON32_LOGON_INTERACTIVE
This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.

Added new parametr LOGON_TYPE_NEW_CREDENTIALS , check it in the LM Server security settings.
http://litemanager.ru/bug_test/ROMServer.zip
Best Regards LiteManagerTeam
admin
Администратор
 
Posts: 266
Joined: 07 Jun 2010, 13:19


Return to LiteManager: Support

Who is online

Users browsing this forum: liteboat and 2 guests