question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked DaisyZhou-MSFT commented

Klist: Purge User Kerberos Ticket without Logoff

Hi, having added my test account into the AD group having rights to access shared folder I am still not able to access it from file explorer without logging off/logging on (Windows Server 2016):

klist purge
runas /user:DOMAIN\testacc "cmd.exe"


I see that Kerberos ticket has been updated (klist tgt) and whoami /groups confirms test account is member of AD group but still I always get an error that I do not have permission to access shared folder from file explorer. Logging off/logging on is something I would like to avoid definitely.

Any help on this would be appreciated - thank you in advance!


windows-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BojanZivkovic-7448,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @BojanZivkovic-7448,

If the shared folder is on a remote server, then "klist purge" should enable File Explorer to access the remote shared folder via the new group membership. Assuming that the changes in group membership have had time to replicate within the domain, I can only think of one other reason why this might not work - the process issuing the "klist purge" command and "File Explorer" are in different "logon sessions". This is actually the normal case for me: File Explorer runs in the "low privilege" logon session and I normally issue system management type commands in a command window started with "Run as Administrator" (which is a different logon session). Might this be true for you too?

Gary

0 Votes 0 ·

Hello @BojanZivkovic-7448,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @BojanZivkovic-7448,

Thank you for posting here.

We can see one domain user on one domain client wants to access \\server\shared folder to read a file. The process follows this sequence (the user has already logged on, and the user has requested and received a ticket for the workstation):

88350-per1.png


Then for a user session that originally logged in normally, the user's access token only includes the permissions that the user had when logging in.

Winlogon creates a window station and several desktop objects for the user, attaches the user's access token, and starts the shell process the user will use to interact with the computer. The user's access token is subsequently inherited by any application process that the user starts during the logon session.

When the user logs out, the credential cache is refreshed, and all service tickets and all session keys are destroyed.

If the user is allowed to change the permissions of the shared folder (the original user did not have permission to the shared folder, now the user is given the permission one the shared folder), log off the user, and log in to the client with the user’s account again.

Only the new permissions are included in the user's access token in user's new logon session, and then the user can access the shared folder.

For more information we can refer to link below.

How the Kerberos Version 5 Authentication Protocol Works
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)?redirectedfrom=MSDN


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou



per1.png (58.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered BojanZivkovic-7448 edited

So this http://woshub.com/how-to-refresh-ad-groups-membership-without-user-logoff/ won't ever work meaning logging off/logging on is inevitable?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @BojanZivkovic-7448,

Thank you for your update.

I am not sure the method you provided will work or not, but you can try.

If it does not work, I think logging off/logging on is inevitable.



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered DaisyZhou-MSFT commented

I tried and experienced what I wrote initially.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BojanZivkovic-7448,

Thank you for your update.

As I understand and explained above, we should log off to refresh the credential cache and log in again to refresh all service tickets and all session keys.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·