Re: Renewing Kerberos ticket

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/01/05 

Date: Tue, 1 Mar 2005 01:55:02 -0700

Yep. The OP may want to look at it in the following way.
Getting a new service ticket, or renewing, is an authorization.
Authorization just refers to the user token, which is only built
during authentication at log in. 

-- 
Roger Abell
"Herb Martin" <news@LearnQuick.com> wrote in message
news:egCE2piHFHA.2136@TK2MSFTNGP14.phx.gbl...
> I believe Roger to be correct.
>
> While Kerberos tickets may be renewed, the
> users (vendor specific, e.g., Microsoft) security
> access token does not get refreshed by the procedure
> as far as I know.
>
>
> -- 
> Herb Martin
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:eB6hNciHFHA.560@TK2MSFTNGP12.phx.gbl...
> > The account must log off and back on.
> > There is no other way.  Refreshing a ticket does not
> > refresh the user token that is in use.  Only getting a
> > new TGT through login authentication does that.
> >
> > However, there is something that does not make sense in
> > what you have said.
> > The user runs a script that creates a group and adds themselves
> > to the group.  The script then attempts to alter an ACL but are
> > denied due to permissions. You say that if their user token
> > were refreshed to see the new group and their membership in
> > it then they would not be denied.  I do not see how that is so,
> > but do see how that seems impossible.
> >
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows  Security)
> > MCSE (W2k3,W2k,Nt4)  MCDBA
> > "Amihai Bareket" <amihai73@hotmail.com> wrote in message
> > news:eQGERJiHFHA.3076@tk2msftngp13.phx.gbl...
> > > I'm working with a script that's creating new AD Security groups and
> > > changing their membership.
> > > The user that runs the script is added as a member of the new groups.
> > > Once the groups are created I need the script to create folders and
set
> > ACL
> > > on these folders using the new groups.
> > > Because the groups are newly created, the information that indicates
> that
> > > the logged in user (the one that's running the script) is a member of
> the
> > > new groups is not included in the Kerberos ticket he's been granted on
> > > logon.
> > > The permission change on the file system fails because of this with an
> > > access denied message (makes sense...). I'm using XCACLS to set the
> > > permissions on the new folders.
> > >
> > > Is there a way to request a renewal to a user's Kerberos ticket from a
> > > script or batch so that he will receive a new or renewed ticket with
the
> > new
> > > group information?
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Renewing Kerberos ticket
    ... Refreshing a ticket does not ... The user runs a script that creates a group and adds themselves ... > changing their membership. ...
    (microsoft.public.windows.server.scripting)
  • Re: Renewing Kerberos ticket
    ... Refreshing a ticket does not ... The user runs a script that creates a group and adds themselves ... > changing their membership. ...
    (microsoft.public.windows.server.general)
  • Re: Renewing Kerberos ticket
    ... Refreshing a ticket does not ... The user runs a script that creates a group and adds themselves ... > changing their membership. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Renewing Kerberos ticket
    ... Refreshing a ticket does not ... The user runs a script that creates a group and adds themselves ... > changing their membership. ...
    (microsoft.public.windows.server.security)
  • Re: Renewing Kerberos ticket
    ... Getting a new service ticket, or renewing, is an authorization. ... > "Roger Abell" wrote in message ... Refreshing a ticket does not ... The script then attempts to alter an ACL but are ...
    (microsoft.public.windows.server.general)