Windows Server2012 Kerberos Domain Logon Without AS Response Ticket

Question

Hi everyone,

I'm currently doing some experiments with domain logon, and find something makes me confused.
When the domain user logins with kerberos protocol, the normal chanllenge-response should like below:

1. Client -> Server : AS Request
2. Server -> Client : Normally send back KDC_ERR_PREAUTH_REQUIRED first
3. Client -> Server : Send AS Request agin
4. Server -> Client : (Success) AS Response Ticket / (Failed) KDC_ERR_PREAUTH_FAILD

I tried to intercept the response ticket so that the client can't receive AS response, and found that the client can still login to domain account!
Why can domain user login without domain server response ticket?
How does windows judge whether a user can login?

The screenshot is provided below. IP 198 is server, and 155 is client.
Environment : (Client) Windows 10 (Server) Windows Server 2012

Answer 1

I found the reason why the user can still login is because of WinLogon cache mechanism.
If the user login before, he would leave some information in the cache.
Next time, when user logins in and finds that he cannot connect to the domain controller, he will turn to cache login.
This mechanism will pass the user login but without the ability to use domain resources(Because user haven't taken the kerberos ticket).

By setting the cache count in the host computer
(Go regedit.exe -> HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Window NT -> CurrentVersion -> WinLogon -> CachedLogonCount set to 0)
And you will find no user can login without finishing kerberos authentication.

Hope that it would help anyone who get into trouble with the same problem.

Best regards.