In this policy, you can disable the local caching of authenticators. The policy is supported for Windows Client, Mac OS X Client, and Linux PAM Client for chains that use the methods: LDAP Password, Password, HOTP, TOTP, Smartphone (offline mode), Card, FIDO U2F, Fingerprint, and PKI.
This policy allows you to configure the following settings:
By default, theoption is enabled. To disable the caching, set the option to and click .
The caching functionality enables the storing of credentials on the Client for offline authentication, when the Advanced Authentication server is not available. Therefore, a user who has successfully logged in once to the server with the authentication, can now login with the offline authentication.
By default, theis set to 0, to indicate that the cache never expires. Use the option to set the duration (in hours) to store user authenticators in Client cache. The maximum expiry time that you can set is 24 * 366 (8784 hours). This setting is applicable for the Advanced Authentication Clients.
When a user logs in with cached authenticators, Advanced Authentication compares the last online login time with the current offline authentication time. If the time duration is less than or equal to the specified duration in, the user is authenticated to Clients.
For example, consider theis set to 2 hours. The last online log in time of the user to Client is 1:00 PM. When the user tries to log in to Windows Client using cached authenticator credentials at 2:30 PM, the authentication is successful and the user is logged in to Windows Client. But, if the user tries to log in with cached authenticator credentials at 4:00 PM, the offline authentication fails and displays the following message as the cache has expired.
Authenticators of <user name> were not cached. Press OK and try again to log in as local user or cached user
By default, theis set to , to indicate that shared authenticators are not cached. To enable caching shared authenticators in Clients, set to . Clients can use cached details for validation during the offline authentication.
Before you enable this option, ensure to enable the following settings to cache shared authenticators:
NOTE:You can use the enforced cached logon instead of the default online logon, to improve the logon and unlock speed on Clients. For more information, refer to the following topics: