Support for Disconnect/Offline Desktop Access using Password

Devices with the Windows Authentication Client installed can login using a Password when offline. When disconnected (i.e. internet is available but AD is not reachable), users can authenticate using all supported RI methods.

Support of offline access does require the following configuration be completed by an Admin.

User Authentication Flow Use Cases

It is important to note that the login flow experience using the Windows Authentication Client will depend upon if the device is or is not domain joined.

Please review the use cases below to understand the differences.

User Experience for Domain Joined Devices

User Experience for Non-Domain Joined Devices

Configuration Steps for Offline or Disconnected Access:

1. Sync RI users with your AD Server (Domain Joined Devices).

2. Authenticate user at least once with any RI authentication method when client machine is connected with network and AD server is available. This process makes the Password Cache on a Windows machine.

3. Disconnect your client machine from the internet, or switch off AD Server, or Both (domain/non-domain).

4. To start authentication enter username.

5. Authenticate users in order to provide device access using authentication methods based on their machine mode.

WAC Mode Authentication Method Availability

Offline Mode → User will only be able to access the device using a Username and Password.

Disconnected mode (Domain Joined Devices) → User will be able to access the device using all methods available through their RapidIdentity Authentication Policies.

Standard Mode → User will be able to access the device using all methods available through their RapidIdentity Authentication Policies.

6. After entering their RapidIdentity password, the user gains access to the desktop and is logged into the client machine.

Important notes regarding utilizing the Offline Access Feature

 Domain-join & Non-Domain/Local users:

• To use the offline desktop access feature, it is necessary for the WAC user to log in to the client machine one time while they are networked.

• To perform offline desktop access in WAC, users must sync their AD and RI passwords every time they change their password.

• Domain-joined users can authenticate using all available methods to log in to their machines while in disconnected mode—i.e., when the machine has internet access but is not connected to the domain or the Active Directory is unavailable.

• Password update features in WAC (such as Forgot Password, Claim Account, Password Expiry, and Password Change) are not accessible to domain-joined users during disconnected mode.

• Domain-joined users can access the Forgot Username feature in WAC even while in disconnected mode.

Domain-join users:

• To disable credential caching by using a GPO setting, enable the "Interactive logon: number of previous logons to cache (in case domain controller is not available)" setting. To utilize Offline Access we recommend the value for CachedLogonsCount in the Registry Key should be set to this value should be >0 and <=10. Cached logon information is controlled by the following Registry Editor (Regedit.exe)key:

  • Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

  • Value name: CachedLogonsCount

  • Data type: REG_SZ

  • Expected values (turn on logon cache): 1 - 50

  • Value to turn off logon cache: 0

  • Default Value: 10

Any changes you make to this key require that you restart the computer for the changes to take effect. Windows provides a valid range of values for domain user password cache from 0 to 50. A value of 0 turns off logon caching and any value above 50 will only cache 50 logon attempts. By default, all versions of Windows remember 10 cached logons except Windows Server 2008. Refer Microsoft Documentation to know more about Cache logon count Registry Data:Cached domain logon information - Windows Server