Results 1 to 5 of 5
  1. #1
    4 Star Lounger
    Join Date
    Jan 2010
    Location
    Fort McMurray, Alberta, Canada
    Posts
    566
    Thanks
    51
    Thanked 70 Times in 68 Posts

    Safe Mode Weirdness

    We recently cracked a Safe Mode problem. The answer was so unexpected that I just had to post it.

    The setup is a classic corporate laptop. It's a member of Active Directory and is managed in the usual sorts of ways. Windows 7 system, if that helps. One day I'm away from the office and the laptop started blue screening on me.

    Being the responsible sort I ran the available tests. RAM checks out OK. Disk checking, I need to downshift to Safe Mode to get the best results, but that's easy (actually we have a lot of security software which can get in the way, but there's no choice but to accommodate it). And then for some reason, Safe Mode refuses me access. Repeatedly. After 3 tries I'm dead certain that I'm entering my credentials correctly. Huh?

    Next I begin poking around, trying different things. During the course of this I discover that Safe Mode With Networking accepts my credentials. Aha! I think, the problem was that my laptop needed to connect back to the corporate domain to authenticate me, makes sense. Except no, that makes no sense at all.

    Knowledgeable readers will know that Windows caches credentials locally, to permit off-network logins. That way Windows can function without a network, or if it is attached to the "wrong" network. And there's another conceptual problem too! Safe Mode With Networking is stripped down network functionality meaning that I'm not running my VPN client. I'm connected to "a" network but it's not my corporate network, and there's no VPN software to allow secure tunneling back to my home domain.

    All this means that Safe Mode With Networking should not have worked. No, that's wrong and backwards! Safe Mode without networking itself should have worked. Still puzzled.

    I log a case with my Help Desk. The first analyst comes up with an explanation that... didn't really satisfy. Essentially his answer was that this was "working as designed", and you need administrative privileges to log into Safe Mode. I don't have admin level privileges but I've never heard of this requirement before, and I've been working with Windows for 25 years now. For a good part of that time I was admin, but as I say this explanation didn't satisfy.

    A second Help Desk analyst begins working on my case. He notices something that solves the puzzle!

    Get this. To log in to plain Safe Mode, with AD cached credentials, you have to qualify your login with your network domain. Like this:

    Code:
    Domain\MyLogin
    Without this extra domain information, Windows was trying to log me in to the local PC. The fact that my credentials were cached locally wasn't enough. Those credentials were tagged with the domain qualifier. Windows won't even look for domain qualified accounts unless you ask it to.

    If you use Safe Mode With Networking, you don't need the domain information because apparently Windows is then smart enough to assume the correct domain!

    The login scope information was actually on-screen too, the whole time. However it's a part of the login screen I rarely (never) even look at. Only the second Help Desk analyst noticed.

  2. The Following User Says Thank You to BHarder For This Useful Post:

    RetiredGeek (2016-11-30)

  3. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,207
    Thanks
    49
    Thanked 989 Times in 919 Posts
    Good staff on the Hell Desk, what next!

    cheers, Paul

  4. #3
    4 Star Lounger
    Join Date
    Jan 2010
    Location
    Fort McMurray, Alberta, Canada
    Posts
    566
    Thanks
    51
    Thanked 70 Times in 68 Posts
    I've often longed for login systems that had a little "give" to them, particularly when supporting clients who struggle with those logins. The problems are often absurdly simple and some enhanced login algorithms could help.

    For instance I've toyed with the idea of a security authentication system that would notice that you typed a password that was close to correct. If it noticed this maybe it would give you a couple of extra login attempts before locking the account. And this could be done either with or without some messages commenting on this fact.

    The problem is of course, that the computer does not really know you and it has no reasonable method of distinguishing between a hacker trying to gain unauthorized access, and a legitimate user simply struggling with their credentials. The computer has no red flagging system to say "hey, this does not look right, I need to be strict or even aggressively secure."

    Under these conditions the safest way to proceed is a plain login screen. Simple rules, simple interface. And little or no user help because the system doesn't know if it is dealing with valid or invalid users.

    Yet if you've ever dealt with clients who have Fat Finger Syndrome, or don't generally "get" computers, you know what a challenge it is to help them.

  5. #4
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,411
    Thanks
    447
    Thanked 406 Times in 378 Posts
    Quote Originally Posted by BHarder View Post
    I log a case with my Help Desk. The first analyst comes up with an explanation that... didn't really satisfy. Essentially his answer was that this was "working as designed", and you need administrative privileges to log into Safe Mode. I don't have admin level privileges but I've never heard of this requirement before, and I've been working with Windows for 25 years now. For a good part of that time I was admin, but as I say this explanation didn't satisfy.
    This is true. You have to have an administrator account in order to log into Safe Mode. That has always been my experience. But I'm not sure how you were able to log into Safe Mode with Networking if you didn't have an administrator account. Perhaps your company has set some sort of group policy?

    Quote Originally Posted by BHarder View Post
    A second Help Desk analyst begins working on my case. He notices something that solves the puzzle!

    Get this. To log in to plain Safe Mode, with AD cached credentials, you have to qualify your login with your network domain. Like this:

    Code:
    Domain\MyLogin
    Without this extra domain information, Windows was trying to log me in to the local PC. The fact that my credentials were cached locally wasn't enough. Those credentials were tagged with the domain qualifier. Windows won't even look for domain qualified accounts unless you ask it to.

    If you use Safe Mode With Networking, you don't need the domain information because apparently Windows is then smart enough to assume the correct domain!

    The login scope information was actually on-screen too, the whole time. However it's a part of the login screen I rarely (never) even look at. Only the second Help Desk analyst noticed.
    This makes sense to me. When you are part of a domain, there are local credentials and domain credentials stored on your computer, and you'll need to make sure that Windows can find the domain credentials, since that is what you have been logging on with in your day-to-day routine.
    Last edited by mrjimphelps; 2016-12-01 at 13:09.

  6. #5
    4 Star Lounger
    Join Date
    Jan 2010
    Location
    Fort McMurray, Alberta, Canada
    Posts
    566
    Thanks
    51
    Thanked 70 Times in 68 Posts
    When you are part of a domain, there are local credentials and domain credentials stored on your computer, and you'll need to make sure that Windows can find the domain credentials, since that is what you have been logging on with in your day-to-day routine.
    OK, I understand that. And knowing the answer now, Windows behaviour makes more sense, but it didn't make sense at the time and that's my point.

    Here's the message I actually got,

    Your login information is incorrect.
    This results in a baffled user. 'What the heck, I'm very sure indeed that my login information IS correct!'

    Now imagine the user gets the following message:

    No such local account exists, but I do have matching Domain account X. Log in to that instead?
    What would you rather see? Is it more user-friendly? Does this result in a meaningful reduction in overall security?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •