The curse of *Session credential and domain resources

Recently I have reinitialised my user account, so I need to reinstall the UW CSE printers. To do this, I type \\rps.cs.washington.edu in File Explorer and am ready to enter my CSE credential. However, I only got a prompt saying ‘… is not accessible… Logon failure: the user has not been granted the requested logon type at this computer.’

Open Folder×x

×\\rps.cs.washington.edu is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Logon failure: the user has not been granted the requested logon type at this computer.

OK

Normally I use a standard account linked to my Microsoft account, I have enabled ‘Require trusted path for credential entry’ policy, and I use eduroam with a different credential. So I tried different options:

• Logging in to my administrator account works: Windows prompts for credential.
• Logging out of my administrator account and back in to my usual account works, magically. However, if I restart the computer, it no longer works.
• Making my usual account an administrator does not work.
• Logging in to another standard account (just created for testing) works.
• Starting File Explorer (extraneously) as myself works.
• Enabling ‘Block all consumer Microsoft account user authentication’ does not work.
• Disconnecting from eduroam, logging off and on again, and using another network works. However, once I reconnect to eduroam, it stops working.

I found a workaround — I can just enter the credential into Credential Manager manually. Then I noticed a strange credential called *Session, whose duration is the logon session. I searched the Internet and found this and this.

The *Session credential is for SSO. Windows assumes that all domain resources come from the same domain (or mutually trusted ones) thus can use the same credential. It doesn’t think offering a chance to enter another credential is useful, so won’t display Credential UI when the attempted authentication fails. This seems to be by design.

Workaround 0

1. Open Control Panel.
2. Select User Acocunts > Manage Windows Credentials (under Credential Manager).
3. Click Add a Windows credential, and enter the network share server and the credential.

This is the best workaround. Windows will prioritise specific credentials.

Workaround 1

1. Start PowerShell.
2. Right-click Taskbar holding Ctrl+Shift and select ‘Exit Explorer’.
3. Run Get-Process explorer | Stop-Process in PowerShell. Ignore the errors.
4. If Explorer restarts, exit it again using step 2. This time it should exit properly.
5. Run Start-Process explorer -Credential (Get-Credential) -LoadUserProfile in PowerShell.
6. Enter your Windows user credential in the dialog.
7. Do whatever you should. You will see Credential UI.

Windows Security×

Enter network credentials

Enter your credentials to connect to: rps.cs.washington.edu

User name

Password

□ Remember my credentials

The user name or password is incorrect.

OK

Cancel

Now Explorer is running in another logon session, so it doesn’t have access to the *Session credential.

Problem. Cortana might not work properly when executing commands.

Workaround 2

1. Start PowerShell.
2. Run Start-Process notepad -Credential (Get-Credential) -LoadUserProfile in PowerShell.
3. Enter your Windows user credential in the dialog.
4. Hit Ctrl+O to open the Open dialog.
5. Do whatever you should in the Open dialog.

This is basically workaround 1 with Raymond’s trick.

Workaround 3

1. Open Control Panel.
2. Select User Acocunts > Manage Windows Credentials (under Credential Manager).
3. Expand *Session and delete it.
4. Do whatever you should.