When using IWA-Kerberos Authentication, changes made to AD group membership are not immediately seen on the ProxySG appliance

book

Article ID: 169061

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

For Kerberos Authentication, the BCAAA server does not check with the domain controller (DC) for group membership information.

Group membership information is retrieved when the client logs into the workstation. Then the client receives the ticket from the DC for Kerberos and passes it to the ProxySG appliance. The appliance checks with the BCAAA server to further validate that the ticket contains the group membership information. This means that if users' group membership information changes during users' login sessions, users must force the changes made to the group membership information to appear:
  1. Log out of the workstation to force the Privilege Attribute Certificate (PAC) field in the Kerberos ticket to refresh.
  2. Wait for the automatic TGT renewal (this occurs by default every 10 hours).
  3. Purge the local Kerberos ticket cache using the klist utility and then re-authenticate to the DC.