Windows 2000/XP and 2003 all support cached credentials. There are two types of cached credentials, Domain and Generic, and each perform the same task but in different areas.

Cached Domain credentials are used by the OS and are authenticated by the Local Security Authority (LSA). The Domain credential is normally created when the user logs into the domain and a Kerberos ticket is registered. Generic credentials are a little different in that they are authenticated by programs that manage security on their own rather than sending it off to the OS. An example of a Generic credential would be a program that requires a username and password to start. Programs use what is called a credential manager which prompts the user for their credentials required by the application. The credentials can consist of a username and password, smartcard, biometric or some other form. Whichever type of credentials the user enters, they are returned to the application for authentication. The credential manager allows you to customize cache management. The credential manager also allows for long-term storage for generic credentials to prevent users from needing to repeatedly enter their credentials.

In Windows XP and 2003, this credential manager is called the Store Username and Passwords feature to store the saved credentials securly. These credentials can passwords and X.509 certificates. supports both roaming and nonroaming users requiring the user to provide credentials only one time. As another example, the first time that a user runs a program on a your corporate network that requires authentication the user is prompted to supply credentials. Once the user has provided the credentials, they will continue to be associated with the application. Cached Domain credentials provide additonal functionality including Single Sign-On (SSO) and Access to resources when no DC is available. SSO uses the credentials that the OS obtains during an interactive domain logon to let the user authenticate to the domain once.

After this authentication, the user will have access to all the network resources they have permissions to without the need to provide their credentials again. These resources can be located throughout an enterprise, and in different domains. After a user has successfully logged into the domain, the logon information is cached. The next time a user logs on to the computer using the domain account, they can be authenticated even if the domain controller that authenticated the user is unavailable. This is because the user has already been authenticated, and Windows can uses the cached credentials to log the user on locally.

This is common with road warriors who log into the domain on their laptops, however, when they are away from the office and no DC is available, Windows will use the cached credentials from the previous logon to log the user on locally and to allow access to local computer resources. Windows 2000/XP and 2003 does not cache the credentials directly, what it does is store an encrypted verifier. This verifier is uses what is termed a "salted" MD4 hash that is computed two times that leaves a hash of the hash of the credentials. This verifier cannot be used to log on from any other computer.