Monday 2 March 2015

Refreshing folder permissions in Active Directory with Kerboros

Quite often when applying folder permissions and for example you add a user into a security group that has been applied to a folder that you previously did not have permission to access and this change was made recently it could be due to your Kerboros ticket:
klist purge
klist -li 0x3e7 (To specify a the current logged in users session)

** Note: You might also need to make sure that if the file / folder you are accessing is on a share that you close the SMB session with:
net use * /delete
End Note **

and then re-attempt to access the share.

To explain how this happens we need to firstly understand how Kerboros works.
The client will firstly request a TGT fom the KDC, the KDC will then provide an encrpyted TGT to the client - BUT the client can only decrypt this if there password hash is correct (i.e. to prevent man-in-the-middle style attacks.)

Once the client has a TGT it can then ask the TGS (Ticket Granting Service) Service on the Key Distribution Centre to provide a service ticket that can then be used to access network services such as a File or Print Server and so on.

The formentioned TGT contains a "PAC" field - which holds all of the user's authetication information which is used when accessing recources on the domain. And hence if a user is removed from a security group before the ticket expires they will still have access to that recourse. For a more detailed explanation of how this process works please see here.


Post a Comment