Record and Use Cached Credentials

Use automatic credential caching if client users authenticate without using their Windows credentials (for example, with public key, certificate, or SecurID authentication), and also need access to domain resources that require domain credentials. Users must log in using a password at least once. User passwords are cached in an encrypted cache. After a user's password is cached, the server can use the cached password to acquire credentials on behalf of the user. This enables users to access domain resources.

Cached passwords can provide access to:

  • SFTP virtual directories for which the physical directory is a network resource. (These directories apply to all SFTP and SCP2 connections, and may apply to SCP1 connections, depending on your configuration.)
  • Mapped drives configured for use with terminal sessions.

Before you begin

  • Configure and test the client and server to connect using public key authentication (or any other authentication method that doesn't require Windows credentials). At this point, client users can make connections to the server, but will not have access to domain resources that require their Windows credentials.

Configure the server

  1. Start the server console, and then click Configuration.
  2. From the Credential Cache pane, select both of the following:
    • Record passwords in the cache when users log in
    • Use cached passwords to give users access to domain resources

      Note: To enable Use cached passwords to give users access to domain resources, you must select Record passwords in the cache when users log in. This is by design, and enables the server to update cached passwords when a password change is required.

  3. From the Password pane, confirm that password authentication is set to Allow and Allow password change is selected. (This is the default configuration.)
  4. From the Public Key pane (or the pane you used to configure an alternate authentication option), confirm that Allow is selected.

    Note: If Require is selected, client authentication fails when Use cached passwords to give users access to domain resources is enabled and no password is cached, or a cached password is no longer valid. If you want to use password caching and also require public key (or any alternate) authentication method, you need to use Allow initially. After users have logged in with their passwords, you can reset the value to Require. However, you will need to return this value to Allow whenever new passwords need to be cached, either because new users are logging in or passwords have expired.

  5. Save your settings (File > Save Settings).

Configure and connect from the client

  1. Confirm that the client is configured to attempt public key authentication first (if client users authenticate with public keys or certificates), and also supports Keyboard Interactive and/or Password authentication.
  2. Connect to the server.

    The first time the client user connects to the server, the server displays a password prompt. When the user enters his or her Windows credentials the connection is made and these credentials are saved to the credential cache. The client user now has access to domain resources that require Windows credentials. The user can make subsequent connections without entering the Windows password. When the password expires, the user is prompted for a new password and the cache is updated.

Related Topics

Configure Public Key User Authentication: Reflection for Secure IT Client for Windows

Configure Public Key User Authentication: Reflection for Secure IT Client for UNIX

Cached Credentials

Understanding How Credentials Affect User Access to Resources