Cached Logons Set to 10 - Runas Administrator Overwriting

Kevin Goosie 96 Reputation points
2021-09-09T11:32:16.527+00:00

So, I have this weird issue where the cached logons for interactive logon is set to 10, but will only cache one account. I log in as a standard user and that logon is cached, but after "run as administrator" is executed, using a separate domain account for local admin rights, the credentials just saved from the standard user are overwritten with that local admin domain account.

When this happens, the end user is not able to log back in without being on the domain, unless they immediately lock then unlock with their standard logon.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,553 questions
Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,899 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,745 questions
0 comments
Accepted answer
  1. Kevin Goosie 96 Reputation points
    2021-09-12T11:21:46.91+00:00

    I actually found the answer. Took some time, but it is stated here

    https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration#smart-card-sign-in-flow-in-windows

    Under 2c at the Note.

    "Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created."

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,331 Reputation points
    2021-09-09T19:00:41.2+00:00

    Hello @Kevin Goosie

    I would suggest you check if AD Replication is in healthy state.

    Also, Please run below commands.

    C:> gpupdate/force
    C:\> gpresult /h c:\temp\gpresult.html

    to see the cache credentials settings are applied properly.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    0 comments
  2. Kevin Goosie 96 Reputation points
    2021-09-09T20:13:26.97+00:00

    AD Replication is healthy.

    gpupdate /force completed without any issues
    gpresult reported back the correct cached logon count was applied.

    Also, we are on 1909.

    I am almost wondering if it only started using a single slot after an update, but what update I am not sure.

    0 comments
  3. Kevin Goosie 96 Reputation points
    2021-09-11T18:32:19.94+00:00

    Let me add some more information to this.

    Smart cards are being used and the standard account smart card and the admin smart card are issued from the same CA.

    Can anyone tell me where Microsoft states that it will only cache one set of smart card credentials from a single CA?

    Essentially in this case, both smart cards would have to be from different CAs.

    0 comments