The purpose of this article is to provide representation of the traffic flow of IWA-BCAAA Kerberos authentication via Edge SWG (formerly ProxySG) appliances.
Kerberos Authentication Flow with IWA-BCAAA
It's key to note that the service ticket (initially requested by the client) already contains the end user's group memberships. Additionally, by default, the service ticket is cached for 10 hours, which can be changed in AD group policy if desired.
The client will not renew a cached service ticket until it expires, or until the user logs in to Windows again. Since the ticket contains group memberships, the user’s groups won’t get updated until the client gets a new ticket. This means the Edge SWG (formerly ProxySG) appliance won’t learn about group membership changes until the client gets a new ticket. Similarly, if an administrator makes a change to AD group membership and then logs the user out of the Edge SWG (formerly ProxySG) appliance, the Edge SWG (formerly ProxySG) appliance won’t pick up the group membership change until the client gets a new ticket (for example, logs out of Windows and then logs back in).