Hello MatteoDiFrancesco-1737,
Thank you for posting here.
1. Usually, if we reboot the machine, all the credential caches (including user credential cache and computer cache) are refreshed.
2. And from the article, we can see:
How the Kerberos Version 5 Authentication Protocol Works
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)?redirectedfrom=MSDN
Credentials Cache
On computers running Windows 2000, Windows XP, or Windows Server 2003, tickets and keys obtained from the KDC are stored in a credentials cache, an area of volatile memory protected by the LSA. The credentials cache is never paged to disk. All objects stored there are destroyed when a security principal logs off or when the system is shut down.
The credentials cache is managed by the Kerberos SSP, which runs in the LSA's security context. Whenever tickets and keys need to be obtained or renewed, the LSA calls the Kerberos SSP to accomplish the task.
After credentials reach the workstation, the Windows Server 2003 access token creation process is the same as that of Windows NT versions. The LSA on the workstation receives the user's service ticket, decrypts the service ticket with the system key stored in its credentials cache, and then extracts the authorization data. The privilege attribute certificate (PAC) is taken from the service ticket and used to create the user's access token. The LSA then queries the local SAM database to discover whether the user is a member of any security groups local to the computer, and whether memberships in those groups grant the user any special rights on the local computer. It adds any SIDs returned by this query to the list taken from the ticket's authorization data. The entire list is then used to build an access token, and a handle to the access token is returned to Winlogon, along with an identifier for the user's logon session and confirmation that the logon information was valid.
Winlogon creates a window station and several desktop objects for the user, attaches the user's access token, and starts the shell process the user will use to interact with the computer. The user's access token is subsequently inherited by any application process that the user starts during the logon session.
When the user logs off, the credentials cache is flushed and all service tickets—as well as all session keys—are destroyed.
3. We can check if AD replication is working fine between two DCs, or maybe there is replication delay between two DCs, I mean when we change (add or remove) users from groups on one DC, after a while (such as several seconds) the change does not occurs on the other DC.
If it is not the situation above, would you please tell us how we check reboot or sign out and sign in do not work?
Thank you for your time and efforts.
Best Regards,
Daisy Zhou