Any updates?
Authentication problem
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 91%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHA%3C/text%3E%3C/svg%3E)
Hram Admin
350
Reputation points
Hello!
While investigating an authentication issue with our db server I was puzzled by the following:
a) there's a production db server (domain-joined) - named say Srv
b) there's a test standalone server - named say Test
On Srv there're no current network sessions:
On Test there are no cached credentials for Srv or kerberos tickets:
Theoretically in this case when accessing a network share on Srv from Test I'm expecting to see the authentication dialog requesting domain credentials but access is being granted as if the credentials had been already cached:
The event 4624 on Srv displays successful logon using KERBEROS authentication.
Would anybody please tell me where these cached credentials are kept if I can see them neither in Credential Manager nor in Klist? As far as I understand they should NOT stay in memory after the session is closed...
Regards,
Michael
Windows for business | Windows Server | Networking | Network connectivity and file sharing
5 answers
Sort by: Most helpful
-
Hram Admin 350 Reputation points
2025-12-12T14:49:49.5733333+00:00 Hi Kate,
Thank you once again for your clarification!
"If you see Kerberos authentication from a non-domain machine, it suggests the client may have some domain association or cached credentials not visible in Credential Manager, or there is a misconfiguration." - theoretically a client may use Kerberos authentication when connecting from a standalone server/workstation to a member server but I've never seen it during my 25 years of Windows administration.
Here's the test in which I 'm connecting from my testing stanalone server named CLOUD to my productional file server FS (domain-joined} and I'm doing it for the very first time - I've NEVER access FS from CLOUD before!
- The CLOUD standalone server
2 FS - domain file server
3 Currently there's only one session on FS - and this session is NOT from CLOUD:
4 I access \FS from CLOUD:
- The resulting event 4624 on FS's Security log:
???
-
Hram Admin 350 Reputation points
2025-12-08T09:33:22.04+00:00 Hi Kate,
Thank you so much for the clarification!
..and this - "So, cached logons in the registry only apply to offline interactive logons on domain-joined machines, not to network share access from non-domain systems." - effectively means that the first answer
- ("Instead, Windows stores an encrypted verifier of the password in the registry's security hive, specifically for domain logons. This verifier is a salted MD4 hash computed twice, and it allows users to log on locally when the domain controller is unavailable.") -
... - does not apply in this case as I'm connecting to \domainserver\share from a NON-DOMAIN computer!
And this brings us back to the original question:
if this is true -
- When you connect to \domainserver\share from a workgroup or non-domain machine, you supply credentials, but these are not stored in the registry’s Security hive.
- Instead, they may be temporarily cached in memory for the session or stored in Credential Manager if you choose “Remember my credentials.”
- Kerberos tickets won’t apply because the machine isn’t domain-joined; NTLM is typically used.
then how come I can access \domainserver\share from a standalone computer when
a) the connection from Test to SRV initiates a brand NEW session
b) there are no saved credentials in Credential Managerand andc) WHY DOES THIS CONNECTION HAS the AUTHENTICATION TYPE = KERBEROS and NOT NTLM ???
Regards,
Michael-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Kate Pham (WICLOUD CORPORATION) 665 Reputation points Microsoft External Staff Moderator2025-12-11T09:10:18.27+00:00 Hi Michale,
Kerberos authentication is only available when both the client and server are domain-joined and can communicate with a domain controller. For non-domain (workgroup) computers, NTLM is typically used for authentication to domain resources. Cached credentials in the registry (the encrypted verifier) are only relevant for offline interactive logons on domain-joined machines, not for network share access from non-domain systems.
If you are seeing Kerberos authentication from a standalone (non-domain) computer to a domain server, this is unexpected according to standard Windows authentication workflows. Normally, such a connection would use NTLM, unless there is some mechanism (such as a domain trust, or the client is actually domain-joined or has access to domain credentials) that allows Kerberos to be used.
Credential Manager can store credentials for network resources, and if "Remember my credentials" is selected, these are saved and reused for future connections. However, if there are no saved credentials and the machine is not domain-joined, Kerberos should not be possible.
In summary:
- Cached credentials in the registry are for offline domain logons, not for network share access from non-domain systems.
- Kerberos authentication requires both client and server to be domain-joined.
- If you see Kerberos authentication from a non-domain machine, it suggests the client may have some domain association or cached credentials not visible in Credential Manager, or there is a misconfiguration.
For more details, please refer to the documents:
https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Sign in to comment -
Hram Admin 350 Reputation points
2025-12-05T19:05:39.84+00:00 Hi Kate,
Thank you so much for the very interesting articles!
Regarding this: "Instead, Windows stores an encrypted verifier of the password in the registry's security hive, specifically for domain logons."
I always thouth that this - "Each time a user logs on to a domain, Windows caches the credentials supplied and stores them in the security hive in the registry of the operation system." - means that
1 User is pressing CTRL+Alt+Del on a DOMAIN-JOINED workstation and supplies his/her domain credentials
2 After successfull log on he or she may later repeat the process from step 1 without access to a DC (and the "Number of cached logons..." means how many times a user can log on without contacting a DC).
Am I getting you right that the term "~domain logon" can also mean the process of accessing a server share (for example by navigating to \domainserver\share) FROM a NON-DOMAIN computer and supplying user credentials? And that in this case those credentials will also be cached in regestry?
Regards,
Michael-
Kate Pham (WICLOUD CORPORATION) 665 Reputation points Microsoft External Staff Moderator
2025-12-08T02:53:11.2966667+00:00 Hi Michale,
Thank you for continuing contribution to the community!
Yes, you're right about the first part:
- When a user logs on to a domain-joined workstation and successfully authenticates against a DC, Windows caches a verifier (not the plaintext password) in the Security hive.
- This allows subsequent logons without contacting a DC, up to the limit set by the policy Interactive logon: Number of previous logons to cache.
However, the term “domain logon” (CTRL+ALT+DEL) in Microsoft’s documentation refers specifically to interactive logon to a domain account on a Windows machine, not to network resource access from a non-domain computer.
- When you connect to
\\domainserver\sharefrom a workgroup or non-domain machine, you supply credentials, but these are not stored in the registry’s Security hive. - Instead, they may be temporarily cached in memory for the session or stored in Credential Manager if you choose “Remember my credentials.”
- Kerberos tickets won’t apply because the machine isn’t domain-joined; NTLM is typically used.
So, cached logons in the registry only apply to offline interactive logons on domain-joined machines, not to network share access from non-domain systems.
I hope this helps clarify the situation. If you find this answer helpful, please don’t forget to click “Accept Answer” 🙂.
Kate!
Sign in to comment -
-
Kate Pham (WICLOUD CORPORATION) 665 Reputation points Microsoft External Staff Moderator
2025-12-05T07:03:46.22+00:00 Hi @Hram Admin
Thank you for contact Microsoft Q&A community, hope you have a nice day!
When you access a network share and are granted access without an authentication dialog, Windows is likely using cached domain credentials. These credentials might not store in Credential Manager or visible in Klist because they are not generic credentials or Kerberos tickets. Instead, Windows stores an encrypted verifier of the password in the registry's security hive, specifically for domain logons. This verifier is a salted MD4 hash computed twice, and it allows users to log on locally when the domain controller is unavailable. These cached credentials are not the actual username or password, and they do not persist in memory after the session is closed—they are stored on disk in the registry and used only for validating logons when disconnected from the domain controller.
Allow me to share related Microsoft articles bellow:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn751047(v=ws.11)
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994565(v=ws.11)Please accept the answer if you believe this information adds some value, so that your experience with the issue would help contribute to the whole community.
T&R
Kate!