Posted: 16 Mar 2018 11:06 EDT Last activity: 27 Mar 2018 10:06 EDT
Credential storage on non Roaming infrastructure
Have an environment with 1000 RDA user that move from machine to machine as their work week progresses. The applications they interface with have ID/passwords. Originally wanted to use ASO. But that depends on Roaming Profiles being active. Unfortunately the infrastructure team has that feature disabled. Instead they provide a NAS subdirectory for each user to use as their Roaming storage (mapped as a Y: Drive).
So we switched to credential storage placing the file on the Y: drive. However there is a problem with the credential store being encrypted with the local Machine ID. As a result when a user switches machines, the creditial store is found but not usable due to the encryption at a local mahine level.
Can I resolve this problem by either:
1) Telling the ASO to use the Y: drive for storage, instead of c:\user\username\appdata\roaming. or
2) Tell the credential manager not to use the local machine id in the encryption. Thus allowing to become a roaming file, stored on Y:
You cannot use either of your solutions to get around the roaming profile issue. The ASO Manager uses Microsoft's DPAPI technology to encrypt credentials. There is a key file and the credential store. I believe the credentials are not tied to the machine ID but instead to the user.
I recommend contacting support to make a product request. There really is no easy way around this.
This is an ongoing issue for us, and there is a SR open (somewhere) on the topic. Will have a look at the DPAPI. Last research indicates the credential store uses both machine and user for encrypt. (which doesn't make sense if in roaming mode).. Will need to do more research on my side..