Use Cached Passwords
Use password caching if client users authenticate without entering their Windows password (for example, with public key, certificate, or SecurID authentication), and also need access to domain resources (such as printers and remote file servers) that require domain credentials. Users must log in using a password at least once. User passwords are cached in an encrypted file. After a user's password is cached, the server can use the cached password to acquire credentials on behalf of the user. This enables users to access domain resources.
Before you begin
- Configure and test the client and server to connect using public key authentication (or any other authentication method that doesn't require Windows credentials). At this point, client users can make connections to the server, but will not have access to domain resources that require their Windows credentials.
Configure the server
- Start the server console, and then click Configuration.
- From the Password Cache pane, select Record password for caching and Use password cache.
Note: To enable Use password cache, you must select Record password for caching. This is by design, and enables the server to update cached passwords when a password change is required. You cannot disable Record password for caching and enable Use password cache, but you can record passwords for caching but not use them.
- From the Password pane, confirm that password authentication is set to Allow and Allow password change is selected. (This is the default configuration.)
- From the Public Key pane (or the pane you used to configure an alternate authentication option), confirm that Allow is selected.
Note: If Require is selected, client authentication fails when Use password cache is enabled and no password is cached, or a cached password is no longer valid. If you want to use password caching and also require public key (or any alternate) authentication method, you need to use Allow initially. After users have logged in with their passwords, you can reset the value to Require. However, you will need to return this value to Allow whenever new passwords need to be cached, either because new users are logging in or passwords have expired.
- Save your settings (File > Save Settings).
Configure and connect from the client
- Confirm that the client is configured to attempt public key authentication first (for public key and credential authentication), and also supports Keyboard Interactive and/or Password authentication. (This is the default for Reflection for Secure IT clients.)
- Connect to the server.
The first time the client user connects to the server, the server displays a password prompt. When the user enters his or her Windows credentials the connection is made and these credentials are saved to the password cache. The client user now has access to domain resources that require Windows credentials. The user can make subsequent connections without entering the Windows password. When the password expires, the user is prompted for a new password and the cache is updated.