A customer reported that while they were using their computer, their user account was trying to logon to another system (
CRAGGYISLAND) and they wanted to know why. In technical speak, Cross Domain Authentication attempts were occurring.
So I looked into it, and the cause of the problem was this:
- customer had previously connected to
CRAGGYISLANDserver file share, which was located in a different Active Directory Domain, with different credentials.
- this share had "Offline Files" set.
- Offline Files (aka Client Side Caching) cached those files.
- Sometime later they disconnected from the CRAGGYISLAND server file share.
- Much later they noticed, or our IT Security folk noticed, many CROSS DOMAIN AUTHENTICATION attempts, which were failing.
- The cause was the Windows 7 Offline Files Service was trying to sync the
CRAGGYISLANDserver files in it’s Offline Files Cache, and failing.
The solution was to clear the Offline Files Cache on the Windows 7 computer by following the instructions in this article: On a Windows Vista-based or Windows 7-based client computer, you can still access offline files even though the file server is removed from the network.
I diagnosed the cause by using cross referenced the time of the Cross Domain Authentication attempts with the output of Process Monitor.