How does one update primary security token / kerberos ticket without login again ?

Using SYNERGIX AD Client Extensions software ( http://www.synergix.com ), you can update the users' primary security token and the kerberos ticket without requiring the user to login again.  This is the only supported way that a remote user, logged in with cached credentials, can see their privileges updated when they (vpn) connect to their corporate network. 

Have more questions? Submit a request

4 Comments

  • 0
    Avatar
    Synergix Support

    Yes, if we understand it correctly.  By "local" users, you mean office users who are LAN connected ?  Using SYNERGIX ADCE, it is possible to make changes to their domain computer account or domain user account membership to update their access to network resources.

    If you explore the Administrative Template file that is included with the software package, under the "SYNERGIX AD Client Extensions", you will notice a section 'Security Settings' and then, a policy setting called "Kerberos Tickets Management".  You must specify a domain controller FQDN ( or CNAME for it ) where you will be making changes to domain computer account or domain user account.

    With the policy configured and changes made to the user account or computer account, the changes will be picked up instantaneously ( about 10 - 15 seconds ) and the Kerberos Ticket will be refreshed.  This will allow you to grant access or deny access to your domain user accounts.

    Please let us know if you need further clarification or if you wish to talk to one of our support staff members.

     

  • 0
    Avatar
    Jane Sun

    Youtube Video on Synergix AD Client Extensions 

    http://www.youtube.com/watch?v=_1pae5MDBxg

  • 0
    Avatar
    Jane Sun

    This is amazing.  We have version 12.0.0.23 and it removes the limitation set on domain controllers.  

    >> You must specify a domain controller FQDN ( or CNAME for it ) where you will be making changes to domain computer account or domain user account.

    In the default configuration and when "Kerberos Tickets Management" is enabled, the software will detect changes to user account or computer account on ANY domain controller and refresh the tickets in few seconds.

  • 0
    Avatar
    Leslie Beerens

    Does this also work for 'local' users: for example: adding a user to a certain 'deny' group for a shared folder, will this user be denied access without logging off?

Please sign in to leave a comment.
Powered by Zendesk