question

ErazerMe avatar image
0 Votes"
ErazerMe asked ErazerMe commented

After entering wrong username, the 'Welcome'-screen will load very long

After entering a wrong username (domain joined) to a Windows 10 Client, the 'Welcome'-screen will be shown for round about 3-4 minutes until the error message 'The user name or password is incorrect'.
Does anybody know, if this long delay is a default behaviour of Windows 10? I am not exactly sure, but I think Windows 7 didn't take that long to verify username.

During my troubleshooting, I noticed that the client is contacting each domain controller in our domain over LDAP (lsass.exe) and this will take a long time.
In our enviroment, we have round about 22 Domain Controller.
Is there any possibility to speed up the "username" checking and maybe we can restrict the client to check the username only to a few domain controller (nearest 3 dcs)?

If this behaviour is default, may someone can give me a note where I read the default process - because I have to provide a solution/answer to our users.

Thanks a lot.

windows-10-generalwindows-active-directorywindows-10-securitywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

You may try enable the cache account.
In the Group Policy navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and there is a policy called Interactive logon: Number of previous logons to cache (in case domain controller is not available) and this could speed up login.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered ErazerMe commented

Hello @ErazerMe

I would suggest you to have a look on below Microsoft blog explaining the same.

https://devblogs.microsoft.com/oldnewthing/20100323-00/?p=14513

If the reply was helpful, please don’t forget to upvote or accept as answer.

Thanks,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your post.

I know the general process of checking the correctness of user/password: 1. locally, 2. Domain Controller
My main question is, why is the client contact each Domain-Controller in the domain for checking the username? Is this a default behaviour or do we have a problem within our enviroment?
Normally, when a Clients receives "wrong username/password" from one DC, then I would accept if the Client goes to the KDC and ask the KDC-Domain Controller for cross-checking. But why is the client contacting ALL Domain-Controllers?

0 Votes 0 ·