HELP! Slow logon with Cached Credentials off domain. Have xperf files.

Similar Messages

• Authenicated with Cached Credentials

  I have 2 identical Mac Book Pro laptops (I use one as a backup). I do a full backup of the production Mac using SuperDuper and install it on the other to use as a replacement if needed. They are never on the network (Windows 2003/AD) at the same time. When logging into the network on the backup laptop a message pops up saying Authenicated with Cached Credentials. After several times of logging in you are no longer able to log in at all. Is there something I need to clear that I am missing?

  Hi beachbum 2013, and a warm welcome to the forums!
  Hmmm, might see if this is of any help...
  http://www.scribd.com/doc/6075527/Group-Policies-for-Mac-OS-X
  Next time it won't login, try logging out, then logon to your Mac, click the Other... button on the logon screen and use domain/username as your logon information.

• Domained laptop - slow logon when connected to non-domain network

  Hi,
  I'm looking for ideas on how to solve or workaround this issue, so any help would be appreciated.  Please note that this doesn't appear to be the usual type of "slow login" problem - in fact I'm pretty certain the issue is caused by public DNS
  servers which return placeholder IP addresses for unknown domains, rather than correctly reporting them as being unknown, which is making XP "hang up" looking for servers which don't really exist.  Either way, it's causing a lot of problems for our remote
  users.
  The scenario is this.  When domain-member laptops are not on the domain network, they can take anywhere between 5-30 minutes to login.  This issue only occurs when the network they're connected to presents DNS servers which resolve unknown DNS
  hosts/domains to "placeholder" sites.  Whilst Windows 7 laptops do also seem to suffer from this, login delays on those are at worst a couple of minutes, whereas the Windows XP machines are affected for much longer.
  Maybe a bit more info will make it clearer :)
  The AD namespace shares the external domain, and there are public DNS records for the external domain, but obviously not for internal hosts (like DCs).  So internally, the FQDNs of the domain controllers are "DC1.company.com", "DC2.company.com" etc.
  When the laptop is connected to users home network, users can logon quickly (<30 seconds), as long as the DNS server offered by DHCP on that network doesn't return an IP for hosts/domains which don't exist publicly.  If they do, login takes 5-30 minutes.
  I've confirmed this by doing a lookup of the domain on the affected networks to ascertain which DNS servers return placeholder IPs rather than reporting that name resolution isn't possible.  For example, OpenDNS's servers (208.67.222.222, 208.67.220.220)
  return placeholders, Google's (8.8.8.8, 8.8.4.4) don't.  Using OpenDNS to lookup "dc1.company.com" returns their placeholder IP of 67.215.65.132, using Google's returns "can't find dc1.company.com: Non-existent domain".  OpenDNS is being used
  as an example, increasingly ISP's seem to be using redirection, we're getting this issue with BT and Virgin Media networks, plus a couple of others.
  So, if I manually set DNS on a laptop to use Google's servers, then connect it to one of the affected networks, login is virtually instantaneous.  I remove the manually configured DNS servers and allow DHCP to present the ISP's own servers, login is
  seriously delayed.
  From this I can only assume that the fact that the names are resolving at all is causing the delay.  I've removed possibly contributory factors from the equation, such as roaming profiles, redirected folders, mapped drives, group policy etc which the
  workstation might be trying to access and causing a delay, as well as checking that fast logon optimization is active.
  At the moment we're having to tell users to not connect to the network until after they've logged in, which you'd think wouldn't be that big a deal but you know what users are like :) 
  I appreciate this issue really seems due to bad practice by ISPs rather than with Windows itself, but we really need a fix we can apply ourselves.  Reconfiguring users' home networks really isn't an option, there's too many of them, plus that wouldn't
  solve the problem when they're using other networks (hotels etc).  I don't think setting "good" DNS servers manually is an option, certainly I can't think of a way that would still work when they're connected to our internal LAN. 
  I'm thinking there must be some way we can set a timeout or something on the workstations so they don't spend so long trying to communicate with what they think are domain servers, but dispite much searching, I've been unable to find anything that works.
  So, any help would be gratefully recieved.
  Thanks

  Thanks for the reply Martin, unfortunately it didn't help matters, but after pondering for a while (and eventually kicking myself for missing something so obvious) I did come up with a solution.
  Basically, just set up public DNS A records for the internal servers and point them to 127.0.0.1 (setting up a wildcard DNS entry for the domain also pointing to 127.0.0.1 would do the same thing).
  Sure enough logon now takes about 5 seconds, even on the Windows 7 machines (which were only taking a minute or so anyway).
  Loopback is the best place to point these to,  Pointing them to a public server didn't work, and pointing them at a non routeable private IP didn't work either. 
  To help anyone else confirming this is also the cause of their slow logon issue - when all three conditions are met it's time to mess with your public DNS!
  The FQDN of the domain is public (company.co.uk) and not local (company.local).
  The DNS servers in use on the network (or the ISP's DNS servers to which DNS requests are forwarded) return placeholder IPs for unknown host addresses, rather than a "non-existent domain or host" error.  This can be confirmed by pinging (or doing an
  nslookup) on the affected machine, for a host for which no public DNS record exists (ie ping wibble.microsoft.com) - if an IP address is returned then the DNS servers in use are resolving unknown hosts/domains to a placeholder IP.
  If you allow the machine to login on the external network, then run a
  ipconfig /displaydns you'll see entries for attempts to resolve internal servers themselves, plus lookups relating to the AD domain such as
  _msdcs.gc._tcp._ldap.internaldomain.co.uk and such - these shouldn't be there off-domain, and I believe they indicate the machine thinks it's on the domain, even though it isn't.
  Hope this helps someone else out.
  Ray Von

• Windows 7 802.1x wifi profile issue with cached credentials

  We have a wireless network that is setup as WPA2-Enterprise AES using 802.1x. We have a user that is constantly having his account locked out. When we trace where it's coming from, it's from our
  radius server (which is only used for this one wireless network). We have already deleted the profile and recreated it. If we uncheck the option to remember the username/password, and enter that manually at prompt, it connects fine. As soon as we check that
  option back, it fails and will keep failing and eventually lock out his acocunt. We have recreated his user profile and the wifi profile with no luck. I've done the following http://security.stackexchange.com/questions/15574/how-do-i-clear-cached-credentials-from-my-windows-profile
  but to no avail. There are no credentials listed when I go this route. Can someone shed light as to where it is hiding these credentials?

  Hi
  Maybe change settings on RADIUS server to allow more than 5 successive login attempts.
  If you look at the windows security log on the radius server can you see if it giving errors of bad username or password?
  Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Issue in Infoview Logon with AD Credentials

  Hi All,
  I have implemented AD Authentication in BOXI3.1 Environment.
  Kinit is working fine and Iam able to logon to Desktop Intelligence and Webi Rich Client without any issue.
  But iam facing issue when logging into Infoview. I can logon to Infoview with the [email protected], but not with Username without mentioning the Domain name.
  Previously there was spaces in my Username such as Test User and then I have renamed it to Test_User and tried but no luck. Getting the below error when i try to logon with Test_User.
  Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
  Enter your user information and click Log On.
  (If you are unsure of your account information, contact your system administrator.)
  Please let me know what might be the issue causing this error.
  Regards,
  Deepika Palani

  Hi
  Click Start > All Programs > Tomcat > Tomcat Configuration.
  Click the Java tab.
  Edit the lines beginning Djava.security.auth. and Djava.security.krb5 to include bscLogin.conf and Krb5.ini so they appear as below:
    Djava.security.auth.login.config=<fullpath>\bscLogin.conf
    Djava.security.krb5.conf=<fullpath>\Krb5.ini
  Save the changes
  Ensure that all mapped groups are correct and present in AD
  Ask Network admin to search for any duplicate service principal names in AD.
  Also ask him if any change has been made to concerned AD group.
  SSO enabled?
  When u said u changed to 'Test_User' you mean that you changed name in AD, right?
  Are there multiple domains?
  Sandeep

• Slow logon with domain credentials when not on company network

  Hello,
  I have my MacBook Pro bound to the domain. When I am connected to the company network via a network cable, login is at normal speed. If I unplug the network cable, reboot, then try to login it takes minutes to get to my desktop. I'm guessing that it's looking for a domain controller or something. I'm doing this to simulate what it would be like if someone was away from the office.
  I have another MacBook Pro that acts the same way.
  Our domain is a .local domain. If this is the reason it's taking so long, is there a work around? Or a way to make it go through this process a little faster? Sometimes it takes as long at 2.5 minutes.
  Thanks,
  Josh

  I called into Apple support since no one has responded on this.
  He had two suggestions.
  1) Input our domain servers as the DNS servers in Network preferences. This works great except for when I'm wanting to use the Internet. It, of course, doesn't resolve any names to be able to go to websites. (EDIT: What I mean is that when I'm at another location it doesn't resolve names. If I manually input the DNS servers on my ethernet adapter, it will only resolve the name if those servers are available. When I'm not in the office, they aren't available. This speeds the login time up, but causes other issues.)
  2) Change our domain to something different than .local. We just can't do that at this time.
  I tried something that appears to work on this MacBook, but on the other one that is having the same problem it doesn't work. I manually input our domain.local in the Search Domains right by the DNS options in network settings. To be honest, I'm not 100% sure what that effects. So maybe it's completely happenstance? I'm not sure why it appears to work on one and not the other. When I say 'work' I mean that it only takes a few seconds to log in rather than minutes.
  The only difference between the two is processor speed.
  Any thoughts or can someone explain to me what affect manually filling out the Search Domain field would have?
  Message was edited by: Josh_P

• How can I login to Lion with cached credentials

  I am able to authenticate Lion against active directory and LDAP.  Now when I disconnect from the network, I am unable to login to my network account and I don't even get the to the account named" Other".  I would like to be able to use my network account even if I am not connected to the network.  Just like in Windows.  Does anyone know how the fix for this?  Thamnk you!

  Hi
  Part of what you say here is correct, but not all.
  On a Mac running Mountain Lion (and I believe earlier), you can have the system create a 'Mobile Account' for any user account, including a Network Managed account. A Domain Account from a Windows Domain Controller can be just as easily created as a Mobile Account from the individual Mac PCs that might be connected.
  When binding the Mac machine to the Windows AD domain, an option is available to allow creation of Mobile accounts. This should be ticked on, preferably with the option to prompt for the creation of mobile accounts as well. Once this is set correctly, when you login to the machine with your domain account for the first time, you will be prompted to create a mobile account. If you do, the account details are cached, and you will be able to logon to the Mac remotely (and not connected) using the domain account.
  As your your discussion on "Roaming Profiles", not everyone in a Windows AD world using Roaming Profiles (we certainly dont as we are a relatively small company), so you cant assume everyone does this. Most small companies (at least) dont enable roaming profiles

• Trying to log into a RDS server using cached credentials

  I have a Windows Server 2012 R2 with Remote Desktop Services installed and it is a member server in my domain.   As a test,  I have cut the network connection between the RDS server and the domain controller.   I can log into the
  RDS server at the console with my cached domain account,  but I can't RDP into the server with my cached domain accout.   It is telling me the specified domain either does not exist or could not be contacted.   Does RDS sessions not
  use cached credentials ?    I have set the Group Policy Option: Interactive logon: Number of previous logons to cache (in case domain controller is not available) to 30.   That didn't seem to make any difference.  Thanks for any
  help with this problem.

  Hi,
  By default Network Level Authentication (NLA) will be used for RDP connections, and this requires the domain controller to be available.  If you needed to you could disable the requirement to use NLA in the collection properties and set a custom rdp
  property so that clients would not attempt to use NLA when they connect.  The downside of this approach is clients will never use NLA when connecting and instead will see a server-side log on screen, and may get multiple prompts for credentials.
  It is preferred to use NLA where possible, which in most cases it is since modern clients support it.
  -TP

• Slow performance with applications

  Hello,
  We recently moved offices, and with that we changed a number of things in our setup. We added 2 new storage drives (attached via Thunderbolt 2) and setup networked user profiles on the iMac's.
  The profiles are stored on storage drives which is attached via Thunderbolt 2 but seem to have issues when loading larger files. The spinning wheel of death seems to occur regularly in the Adobe products, Word and even Google Chrome.
  We have 10 - 12 machines running on the network, currently it's all 1GbE connections, we are looking into a 10GbE connection from the server into the switch.
  Is there a way to cache the users profile to the machine for faster performance? We are losing performance and would like to get the performance back that we had from when we had local user accounts.
  Thanks
  Jacob

  Hey Reid,
  Thanks for your help on this. I have a few more questions;
  How do I get the desktop background to sync so if they move machine, the background is identical?
  Automatic Sync, how does that work? Does it just sync whenever a change is made?
  Cheers
  Jacob
  Strontium90 wrote:
  Aha.  So here is were the home folder types gets more complicated.  A general primer.
  Local Homes – These are the accounts on a workstation that were created on the workstation.  The user data and the user attributes are local to the device.  The local admin account is an example of this account type.
  Mobile Accounts – These can be used when a workstation is bound to a directory server.  This can be OD or AD.  Without caching, the user can only login to the workstation if the domain controller is available.  A local home folder is created on the workstation, account attributes are on the server, and no offline access is possible.
  Mobile Accounts with Cached credentials (Mobility) – These can be used when a workstation is bound to a directory server.  This can be OD or AD.  Mobility allows the account credentials to be cached to the workstation for offline use.  The home folder is on the workstation.  The master user credentials are on the server but a cached copy is written to the workstation for offline use.  For this to work you must use Mobility through MCX or Profile Manager.  MCX is dead so be mindful of future migrations.
  Network Home Folders – These can be used when a workstation is bound to a directory server.  This can be OD or AD.  In this case, the user's home folder is on the server and is accessed via an Automount record over SMB or AFP.  Performance is based on your architecture and limitations are many.  Network home folders are idea for education where computing resources are not one-to-one and were device usage is often less than an hour at a time.
  Those are the basic account types.  You are now asking for home folder sync.  This too is available through the Mobility payload.  With this feature enabled, the Mobile Accounts with Cached credentials works from a local home folder.  However, this folder can be automatically synchronized to the server, allowing some level of user mobility.
  When you say the workstations need to be bound to the OD Master, do you mean they need to be able to login etc? They are already capable of doing that.
  Yes.  You have already accomplished this as you are doing network homes.  There is nothing else you need to do from a workstation perspective.
  Im currently looking through Workgroup Manager. Is it as easy as changing the group manage preferences to "Always" and then set up the "Create home using" -> "Local home template"? How does this sync across the network if they want to use a different machine?
  Generally, yes.  As mentioned, Syncing is an additional payload.  I strongly recommend testing the syncing on test accounts before enabling on real users.  It can be a very tangled knot.
  Also, before you commit to MCX, do the research.  Apple is moving everything into Profile Manager and MCX was depreciated in 10.9.  In 10.10 is sort of is not there.  Workgroup Manager for 10.9 still runs in 10.10 but it is clear Apple wants this gone.

• Passing data to different internal tables with different columns from a comma delimited file

  Hi,
  I have a program wherein we upload a comma delimited file and based on the region( we have drop down in the selection screen to pick the region).  Based on the region, the data from the file is passed to internal table. For region A, we have 10 columns and for region B we have 9 columns.
  There is a split statement (split at comma) used to break the data into different columns.
  I need to add hard error messages if the no. of columns in the uploaded file are incorrect. For example, if the uploaded file is of type region A, then the uploaded file should be split into 10 columns. If the file contains lesser or more columns thenan error message should be added. Similar is the case with region B.
  I do not want to remove the existing split statement(existing code). Is there a way I can exactly pass the data into the internal table accurately? I have gone through some posts where in they have made use of the method cl_alv_table_create=>create_dynamic_table by passing the field catalog. But I cannot use this as I have two different internal tables to be populated based on the region. Appreciate help on this.
  Thanks,
  Pavan

  Hi Abhishek,
  I have no issues with the rows. I have a file with format like a1,b1,c1,d1,e1, the file should be uploaded and split at comma. So far its fine. After this, if the file is related to region A say Asia, then it should have 5 fields( as an example). So, all the 5 values a1,b1..e1 will be passed to 5 fields of itab1.
  I also have region B( say Europe)  whose file will have only 4 fields. So, file is of the form a2,b2,c2,d2. Again data is split at comma and passed to itab2.
  If some one loads file related to Asia and the file has only 4 fields  then the data would be incorrect. Similar is the case when someone tries to load Europe file with 5 fields related data. To avoid this, I want to validate the data uploaded. For this, I want to count the no. of fields (seperated by comma). If no. of fields is 5 then the file is related to Asia or if no. of fields is 4 then it is Europe file.
  Well, the no. of commas is nothing but no. of fields - 1. If the file is of the form a1,b1..e1 then I can say like if no. of commas = 4 then it is File Asia.But I am not sure how to write a code for this.Please advise.
  Thanks,
  Pavan

• Using cached credentials (LSASS) with portable browser to access webproxy with integrated authentication (NTLM)

  We want to create a small portable application in our network that accesses a server on the internet using an internal proxy that requires integrated windows authentication (NTLM) from a standard domain client PC(non admin) running in
  user mode after the client logged in. We wonder if such a PE is able to access cached credentials (LSASS hashes). If you read that browsers like chrome can access cached credentials with integrated
  authentication I wonder if that is really possible. In my understanding no portable 3rd party application that gets executed after the user is logged in is able to access such stored hash
  values (only maybe some hacker tools that run under system account can dump such hashes). But maybe it is possible. Very happy if someone can point me in the right direction.
  Thx
  Oliver

  Hi Oliver,
  The closest method I can relate is Kerberos Delegation, which allows an application to reuse the end-user credentials to access recourses hosted on a different server.
  More information for you:
  Kerberos Delegation
  http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/03/kerberos-delegation.aspx
  About Kerberos constrained delegation
  https://technet.microsoft.com/en-us/library/cc995228.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• "Logon failure: unknown user name or bad password" even with correct Credentials

  I have networked PCs before many times successfully, so this is not my first time trying to network PCs in a home environment. Though I’m wondering if Windows 8.1 is part of the problem. 
  I would have thought that for sure, until one of the new laptops running W8.1 would not connect to any of the other three PCs/Laptops running W8.1. Yet these other three W8.1 PCs/Laptops CAN connect to this laptop. Then it gets a little more interesting:
  this same laptop that couldn’t connect to those three W8.1 PCs/Laptops, CAN connect to a Windows 7 desktop, and a XP Laptop, and those two can also connect back to it without issue. It’s almost like my network is divided in half, and only half can talk to
  each other. But then when I thought it couldn’t get any more interesting, I realized the first three W8.1 PCs/Laptops can talk to the others, it’s just that the others (W8.1 Laptop, W7 Desktop, XP Laptop) can’t talk back to them without getting the error,
  "Logon failure: unknown user name or bad password” even though the username and password are 100% correct.
  I don’t fully understand this error, because on the surface, it’s just WRONG! 
  My username and password are correct, but it appears something somewhere is interfering or hijacking the authentication process. Three of the computers (laptops) are brand new, just purchased last week and setup this week. The HostPC is also fairly new,
  just purchased last month.
  I am not using a HomeGroup, and have removed all computers that were part of a HomeGroup. I have enabled file sharing and network discovery and enabled “Use user accounts and passwords to connect to other computers” on all PCs.
  I have DSL and am using the wireless modem provided by my ISP which has router functionality built into it. It is a Sagemcom Model: F@ST 1704N.
  All computers are connected wirelessly. Time is correct on all PCs. I cannot use Group Policy, since they're all Standard or Home edition. DHCP is enabled and all computers are on the same subnet, using the 192.168.254.x range of ip addresses.
  The six computers are as follows: (I figured this may make is easier to visualize the layout)
  HostPC: HP Desktop W8.1           
  PC Name: DrsBlend
  U/N: DrsBlend  p/w: 123456 (not showing my real password)
  PC1: HP Laptop W8.1
  PC Name: DrsBlend-1
  U/N: DrsBlend    P/W: 123456
  PC2: HP Laptop W8.1
  PC Name: DrsBlend-2
  U/N: DrsBlend    P/W: 123456
  PC3: HP Laptop W8.1
  PC Name: DrsBlend-3
  U/N: DrsBlend    P/W: 123456
  PC4: HP Desktop W7 SP1
  PC Name: DrsBlend-4
  U/N: DrsBlend    P/W: 123456
  PC5: Dell Laptop XP SP3
  PC Name: DrsBlend-5
  U/N: DrsBlend    P/W: 123456
  Every PC stated above has the same user name and password and is logged-in with the username, DrsBlend and the password 123456. The "Logon failure: unknown user name or bad password” happens when trying to access HostPC, PC1, or PC2 from PC3, PC4, or
  PC5.
  The HostPC can see and connect to all the PCs, but only PC1 and PC2 can talk back or access the HostPC. 
  It’s like the HostPC and PC1, and PC2 are in their own little clique, and can talk back and forth to each other. Those three PCs can also talk to PC3, PC4, and PC5 as well, but PC3, PC4, and PC5 cannot talk back to them (HostPC, PC1, PC2).
  Profile corruption? I would have entertained that thought, but the fact the first three PCs can access and talk to one another kind of defeats that idea, and the fact the PCs were just recently setup.
  Firewall? Disabled, and disabled TrendMicro with no change. With them on/off, the first three PCs can still talk to each other and the rest of the PCs.
  Anyone have any additional suggestions?

  Hi，
  How did you connect to other PCs? Do you use RDP to connect to other PCs? If so, check the version of the RDP, as I know, some low version RDP can't connect to higher Windows like 8.1.
  And could you please tell us the detailed information about how the six PCs connect to the home network?
  Can PC1, PC2, PC3 ping back to host PC, PC1 and PC2?
  You can also run command " rundll32.exe keymgr.dll, KRShowKeyMgr " view the credentials stored in your PC,check whether this issue is related with some old credentials stored in your system.
  Yolanda Zhu
  TechNet Community Support

• Hi, i cannot publish my iWeb site with  a non mac domaine name...can anyone help please?

  hi, i cannot publish my iWeb site with  a non mac domaine name...can anyone help please?

  Hi, I have a site developed by myself usinf iWeb and as iWeb are no longer hosting teh sites in 2012 i have found another domaine. It is with Go Daddy and the domaine / name is live. I have tried to publish site using fttp but keeps coming up wih a common error message saying the info i have input is incorrect. I have tread this may be an issue if host is a windows based host???
  appreciete your help

• How to read the 'Input help with fixed values' of domain .

  How to read the 'Input help with fixed values' of domain .
  The domain has a Value range i want to read those values .
  Are these values stored in any table ?
  Plz help me i need it ver badly...
  Thanks in Advance...

  Hi Chandra Shekhar,
  To read the 'Input help with fixed values' of domain , you can use the function module : HR_P_GET_FIXED_VALUE_TEXT.
  iIf you enter the domain name, you will find the fixed values entered in the domain.
  These values are stored in a table DD07L(DD zero 7 L). Here the values are stored based on domain name.
  See if it works for you.
  Award points if its helpful.
  Regards,
  Bhanu

• I have a problem that my phone only vibrates but does NOT ring any more.  No matter what I try to do with settings turning off "silent" or whatever nothing helps.  Do I need to reset.  what are the consequences of resetting?

  I have a problem that my phone only vibrates but does NOT ring any more.  No matter what I try to do with settings turning off "silent" or whatever nothing helps.  Do I need to reset.  what are the consequences of resetting?

  What a numpty!  Yes of course you're right.
  Couldn't find the answer when searching the forum but then came accross this.
  Next dumb question coming up! :-(