klist purgeor
klist -li 0x3e7 (To specify a the current logged in users session)
** Note: You might also need to make sure that if the file / folder you are accessing is on a share that you close the SMB session with:
net use * /deleteEnd Note **
and then re-attempt to access the share.
To explain how this happens we need to firstly understand how Kerboros works.
The client will firstly request a TGT fom the KDC, the KDC will then provide an encrpyted TGT to the client - BUT the client can only decrypt this if there password hash is correct (i.e. to prevent man-in-the-middle style attacks.)
Once the client has a TGT it can then ask the TGS (Ticket Granting Service) Service on the Key Distribution Centre to provide a service ticket that can then be used to access network services such as a File or Print Server and so on.
The formentioned TGT contains a "PAC" field - which holds all of the user's authetication information which is used when accessing recources on the domain. And hence if a user is removed from a security group before the ticket expires they will still have access to that recourse. For a more detailed explanation of how this process works please see here.
No comments:
Post a Comment