search cancel

Access allowed or denied when newly added group membership should have changed access

book

Article ID: 173757

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

A user is added to a new group in AD, but the user retains original access to the site as if the group was not added.

Access to a site is incorrectly denied or allowed after a user is newly added to a new group that should change this result.

Cause

The Kerberos ticket is set when a user logs on to their PC.  When added to a group in AD, this new group membership is not reflected in the current Kerberos ticket, and therefore the value for the new access is not reflected when this is decrypted by the proxy.

Environment

ProxySG with Kerberos authentication

Resolution

  • Log the user off of their PC and back on to manually refresh the Kerberos ticket.
  • Under Statistics > Authentication > Display by user, find the user and log them off to force the surrogate to refresh.