Share via

Klist: Purge User Kerberos Ticket without Logoff

Bojan Zivkovic 611 Reputation points
2021-04-15T13:55:22.247+00:00

Hi, having added my test account into the AD group having rights to access shared folder I am still not able to access it from file explorer without logging off/logging on (Windows Server 2016):

klist purge
runas /user:DOMAIN\testacc "cmd.exe"

I see that Kerberos ticket has been updated (klist tgt) and whoami /groups confirms test account is member of AD group but still I always get an error that I do not have permission to access shared folder from file explorer. Logging off/logging on is something I would like to avoid definitely.

Any help on this would be appreciated - thank you in advance!

Windows for business | Windows Client for IT Pros | Directory services | Active Directory

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-04-16T05:38:23.25+00:00

    Hello @Bojan Zivkovic ,

    Thank you for posting here.

    We can see one domain user on one domain client wants to access \server\shared folder to read a file. The process follows this sequence (the user has already logged on, and the user has requested and received a ticket for the workstation):

    88350-per1.png

    Then for a user session that originally logged in normally, the user's access token only includes the permissions that the user had when logging in.

    Winlogon creates a window station and several desktop objects for the user, attaches the user's access token, and starts the shell process the user will use to interact with the computer. The user's access token is subsequently inherited by any application process that the user starts during the logon session.

    When the user logs out, the credential cache is refreshed, and all service tickets and all session keys are destroyed.

    If the user is allowed to change the permissions of the shared folder (the original user did not have permission to the shared folder, now the user is given the permission one the shared folder), log off the user, and log in to the client with the user’s account again.

    Only the new permissions are included in the user's access token in user's new logon session, and then the user can access the shared folder.

    For more information we can refer to link below.

    How the Kerberos Version 5 Authentication Protocol Works
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)?redirectedfrom=MSDN

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Bojan Zivkovic 611 Reputation points
    2021-04-16T08:47:00.553+00:00

    So this http://woshub.com/how-to-refresh-ad-groups-membership-without-user-logoff/ won't ever work meaning logging off/logging on is inevitable?

    0 comments
  3. Anonymous
    2021-04-16T08:55:36.623+00:00

    Hello @Bojan Zivkovic ,

    Thank you for your update.

    I am not sure the method you provided will work or not, but you can try.

    If it does not work, I think logging off/logging on is inevitable.

    Best Regards,
    Daisy Zhou

    0 comments
  4. Bojan Zivkovic 611 Reputation points
    2021-04-16T10:32:24.767+00:00

    I tried and experienced what I wrote initially.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.