Discussion:
Cached logon in custom GINA
(too old to reply)
Dmitriy Golubev
2006-04-10 09:08:49 UTC
Permalink
Hi all!

I found that standard MS Gina don't use Interactive logon type. Instead, it
use CachedInteractive logon type and if CachedInteractive logon is failed,
simple Interactive logon will be used instead. I'm readed in the MSDN that
CachedInteractive logon is perfomed without hitting the domain controller.
Does anybody known how to use this logon type? How MS Gina retrieves user
profile information in case then this information are updated on the Domain
Controller?

Thank you.
Kellie Fitton
2006-04-10 15:03:41 UTC
Permalink
Hi,

The following weblinks should shed light on the subject:

http://msdn.microsoft.com/msdnmag/issues/05/05/SecurityBriefs/

http://msdn.microsoft.com/msdnmag/issues/05/06/SecurityBriefs/

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/msgina.mspx

Hope these information helps,

Kellie.
Dmitriy Golubev
2006-04-11 11:00:37 UTC
Permalink
Thank you for information.
Unfortunately, I can't find answers for my questions in these links.
Post by Kellie Fitton
Hi,
http://msdn.microsoft.com/msdnmag/issues/05/05/SecurityBriefs/
http://msdn.microsoft.com/msdnmag/issues/05/06/SecurityBriefs/
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/msgina.mspx
Hope these information helps,
Kellie.
Alex Fedotov
2006-04-12 00:50:10 UTC
Permalink
Post by Dmitriy Golubev
I found that standard MS Gina don't use Interactive logon type. Instead,
it use CachedInteractive logon type and if CachedInteractive logon is
failed, simple Interactive logon will be used instead. I'm readed in the
MSDN that CachedInteractive logon is perfomed without hitting the domain
controller. Does anybody known how to use this logon type? How MS Gina
retrieves user profile information in case then this information are
updated on the Domain Controller?
From what I know, MSGINA does not attempt to synchronize the user profile
with the domain controller in case of a cached logon. It just uses the
cached copy.

Having said that, when cached logon succeeds, MSGINA performs a true
Interactive logon on a background thread. If you enable audit of logon and
logoff events, you will see that a successful logon of type 11 (which is
CachedInteractive), is immediately followed by a logon type 2 (Interactive),
with the logon process set to GinaBkg. The profile resulting from this
second logon is apparently discarded, but I would assume that the local
profile cache gets updated as a side effect of doing a logon, so that the
next cached logon will pick up an updated profile.

-- Alex Fedotov
Dmitriy Golubev
2006-04-12 09:53:07 UTC
Permalink
Thank you, Alex!

One more question: I execute the following operations:
1. Logon to the workstation (jointed to Active Directory) using normal
domain user account (Domain Users).
2. Then perform Logoff
3. Next step I add this user as a member of second domain group (e.g.
SomeOtherDomain group).
4. After replication was done I logon to the same workstation as domain user
again, run command line utility WhoAmI.exe and check the results. I've
found, that my user included in second (SomeOtherDomain) group. I'm not
sure, but I believed that group memberships information should not be
present in SAM cache. Could you explain me how MSGINA got this information
during logon process?

Thank you again.
Post by Alex Fedotov
Post by Dmitriy Golubev
I found that standard MS Gina don't use Interactive logon type. Instead,
it use CachedInteractive logon type and if CachedInteractive logon is
failed, simple Interactive logon will be used instead. I'm readed in the
MSDN that CachedInteractive logon is perfomed without hitting the domain
controller. Does anybody known how to use this logon type? How MS Gina
retrieves user profile information in case then this information are
updated on the Domain Controller?
From what I know, MSGINA does not attempt to synchronize the user profile
with the domain controller in case of a cached logon. It just uses the
cached copy.
Having said that, when cached logon succeeds, MSGINA performs a true
Interactive logon on a background thread. If you enable audit of logon and
logoff events, you will see that a successful logon of type 11 (which is
CachedInteractive), is immediately followed by a logon type 2
(Interactive), with the logon process set to GinaBkg. The profile
resulting from this second logon is apparently discarded, but I would
assume that the local profile cache gets updated as a side effect of doing
a logon, so that the next cached logon will pick up an updated profile.
-- Alex Fedotov
c***@gmail.com
2013-03-28 14:45:05 UTC
Permalink
c***@gmail.com
2013-03-28 14:45:05 UTC
Permalink
Loading...