search cancel

Access allowed or denied when newly added group membership should have changed access


Article ID: 173757


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


A user is added to a new group in AD, but the user retains original access to the site as if the group was not added.

Access to a site is incorrectly denied or allowed after a user is newly added to a new group that should change this result.


ProxySG with Kerberos authentication


The Kerberos ticket is set when a user logs on to their PC.  When added to a group in AD, this new group membership is not reflected in the current Kerberos ticket, and therefore the value for the new access is not reflected when this is decrypted by the proxy.


  • Log the user off of their PC and back on to manually refresh the Kerberos ticket.
  • Under Statistics > Authentication > Display by user, find the user and log them off to force the surrogate to refresh.