Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-11117: Is it possible to login to a device when it's in disconnected mode?

Authentication Service ,  

28 September,18 at 02:30 PM

Question:
Can you login if active directory is offline?

Answer:
After an Active Directory user logs on to a computer successfully, the authentication is cached on the local computer indefinitely until manually cleared. These credentials can then be used to authenticate the user in subsequent log on attempts if the user is disconnected from the network or if an Active Directory domain controller is not available.

If there are changes to an account while the account is running in disconnected mode, the changes do not take effect until the user reconnects to Active Directory to start a new session or access a new service. For example, if a user account is disabled or has its password changed in Active Directory while the user is disconnected from the network, the user can still log on and use the old password until reconnected to the network. After the user reconnects to Active Directory, the changes take effect and the user is denied access or prompted to provide an updated password. Because changing the password for an Active Directory account requires a connection to an Active Directory domain controller, users cannot change their own Active Directory password when working in disconnected mode.

If users log out of a session while disconnected from Active Directory, they can be authenticated using the information in the cache when they log back on because they have been successfully authenticated in a previous session. They cannot, however, be authenticated automatically to any additional services after logging back on. To enable automatic authentication for additional services, the user’s credentials must be presented to the Key Distribution Center (KDC) then issued a ticket that can be presented to other services for unprompted, single sign-on authentication. Because the KDC is unavailable when disconnected from Active Directory, single sign-on authentication is also unavailable.

You can configure many aspects of how credentials are handled, including how frequently they are updated or discarded, through parameter settings in the centrifydc.conf configuration file. To configure how credentials are handled using group policies, you must upgrade to a licensed version of Centrify software.


 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.