For Kerberos Authentication, the BCAAA server does not check with the domain controller (DC) for group membership information.

Group membership information is retrieved when the client logs into the workstation. Then the client receives the ticket from the DC for Kerberos and passes it to the ProxySG appliance. The appliance checks with the BCAAA server to further validate that the ticket contains the group membership information. This means that if users' group membership information changes during users' login sessions, users must force the changes made to the group membership information to appear:

1. Log out of the workstation to force the Privilege Attribute Certificate (PAC) field in the Kerberos ticket to refresh.
2. Wait for the automatic TGT renewal (this occurs by default every 10 hours).
3. Purge the local Kerberos ticket cache using the klist utility and then re-authenticate to the DC.