My user account is trying to logon another system and I don’t know why!

A customer reported that while they were using their computer, their user account was trying to logon to another system (CRAGGYISLAND) and they wanted to know why.  In technical speak, Cross Domain Authentication attempts were occurring.

So I looked into it, and the cause of the problem was this:

  1. customer had previously connected to CRAGGYISLAND server file share, which was located in a different Active Directory Domain, with different credentials.
  2. this share had "Offline Files" set.
  3. Offline Files (aka Client Side Caching) cached those files.
  4. Sometime later they disconnected from the CRAGGYISLAND server file share.
  5. Much later they noticed, or our IT Security folk noticed, many CROSS DOMAIN AUTHENTICATION attempts, which were failing.
    The cause was the Windows 7 Offline Files Service was trying to sync the CRAGGYISLAND server files in it’s Offline Files Cache, and failing.

The solution was to clear the Offline Files Cache on the Windows 7 computer by following the instructions in this article: On a Windows Vista-based or Windows 7-based client computer, you can still access offline files even though the file server is removed from the network.

I diagnosed the cause by using cross referenced the time of the Cross Domain Authentication attempts with the output of Process Monitor.