question

KevinGoosie-3065 avatar image
0 Votes"
KevinGoosie-3065 asked KevinGoosie-3065 answered

Cached Logons Set to 10 - Runas Administrator Overwriting

So, I have this weird issue where the cached logons for interactive logon is set to 10, but will only cache one account. I log in as a standard user and that logon is cached, but after "run as administrator" is executed, using a separate domain account for local admin rights, the credentials just saved from the standard user are overwritten with that local admin domain account.

When this happens, the end user is not able to log back in without being on the domain, unless they immediately lock then unlock with their standard logon.

windows-10-generalwindows-10-securitywindows-10-setup
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KevinGoosie-3065 avatar image
0 Votes"
KevinGoosie-3065 answered

I actually found the answer. Took some time, but it is stated here

https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration#smart-card-sign-in-flow-in-windows

Under 2c at the Note.

"Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created."

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @KevinGoosie-3065

I would suggest you check if AD Replication is in healthy state.

Also, Please run below commands.

C\:> gpupdate/force
C:\> gpresult /h c:\temp\gpresult.html

to see the cache credentials settings are applied properly.

If the reply was helpful, please don’t forget to upvote or accept as answer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KevinGoosie-3065 avatar image
0 Votes"
KevinGoosie-3065 answered KevinGoosie-3065 edited

AD Replication is healthy.

gpupdate /force completed without any issues
gpresult reported back the correct cached logon count was applied.

Also, we are on 1909.

I am almost wondering if it only started using a single slot after an update, but what update I am not sure.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KevinGoosie-3065 avatar image
0 Votes"
KevinGoosie-3065 answered

Let me add some more information to this.

Smart cards are being used and the standard account smart card and the admin smart card are issued from the same CA.

Can anyone tell me where Microsoft states that it will only cache one set of smart card credentials from a single CA?

Essentially in this case, both smart cards would have to be from different CAs.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.