Cached Smart card

Question

I've set up a system where a Certificate Authority (CA) issues certificates, which are then deployed to clients using YubiKeys. Authentication works fine while on the domain, but when off the domain, I receive a "domain unavailable" error and cannot log in. I have a Group Policy set to cache the last 10 logins (Interactive logon: Number of previous logons to cache), but it doesn't seem to be working as expected.

Answer 1

Hello

Thank you for posting in Q&A forum.

Here are some troubleshooting steps to help resolve the issue:

1. Ensure that the Group Policy setting for caching logons is correctly applied.
2. Force a Group Policy update on the client systems to ensure the settings are applied:

gpupdate /force

3. Check the Event Viewer on the client systems for any Group Policy-related errors.
4. Ensure that the time on both the client and the domain controller is synchronized. Time discrepancies can cause authentication issues:

w32tm /resync

5. Ensure that the DNS settings are correct, and that the client can resolve the domain controller's DNS name even when off the domain.
6. Ensure that the cached credentials are being stored correctly:

Open Registry Editor (regedit).

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Check the value of CachedLogonsCount and ensure it is set to 10.

7.Ensure that the certificates are valid and not expired, and the YubiKeys are configured to work in offline mode.

Reference:

Group Policy password caching - Microsoft Q&A

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.