Many thanks to all who commented on my question regarding whether a PC caches credentials when prompted for authentication for a web application protected by NTFS file permissions. Also, thanks for clarifying that it is NTLM authentication caching that I am concerned with, as this is what NTFS uses for authentication. It appears that most of you agree that some form of caching is occurring. Since I have no control over the home PCs, I will be recommending some other form of authentication for this web application, such as access through a VPN, Citrix server, or perhaps using a separate id/password.
I also asked my authentication caching question to Microsoft to see what their answer would be. For those that are interested, here's a cut & paste of their official reply: The short answer to your question of, "If a user on a home PC (using Windows 3x, 98, NT, or 2000) accesses a company web site that requires NTFS authentication against the company's domain controller, is that company userid/password cached on the home PC," is yes. Depending on what client is used, it will be cached in different manners. The .pwl files on 9x clients is where the info is stored. It is stored in the registry on NT 4.0 and Windows 2000. Both areas are encrypted, and the username and password are not something that can be read straight from the file or registry. My question to you is what are you trying to accomplish? What is your goal? Are you concerned about cached credentials as a security hole in your organization? Do you have a specific scenario that we can troubleshoot? Thanks again, Carol
