Re: Kerberos, MOSS 2007 AD Group Membership

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Dave,
The list of group memberships is read at logon from the KDC. This remains
valid until it expires, or is renewed by logoff/logon. Its the same for file
access. You can grant permissions to an existing group and it will take
effect immediately, but you can't add a member to a group and have that take
effect immediately.
Anthony,
http://www.airdesk.co.uk


"dwthoma" <dwthoma@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D33E52BA-5402-4CA1-917A-29488CD20FB0@xxxxxxxxxxxxxxxx
I have a MOSS 2007 Server that is a member of our Active Directory. We
enabled kerberos in Sharepoint which works very well.

We have one site that is setup with a Sharepoint group -> nested inside
that
is an Active directory security group (called CORE) where active directory
users are updated frequently. When a user who is a member of this Active
directory security group (CORE) group accesses this website he sees extra
details on the site. When a user is not a member of this (CORE) group he
sees
only the standard information on the website.

What seems to be the trouble is that....if i have made a user a member of
this (CORE) AD Group it can take up to 10 hours to reflect that
information
on the page. The user will not see the extra information on the screen for
up
to 10hours.

I found that all active directory controllers update the group membership
pretty much immediately after a change. Also I have found that if i purge
the
users kerberos tickets on his desktop using KERBTRAY the information
updates
on the webpage immediately.

It seems that Kerberos ticket is not updating on the users computer if
they
a made a new member of the CORE ad group (until the kerberso ticket
expires
after 10hours).

Why would this occur with kerberos in sharepoint/IIS when fileshares
....ie
a network share immediately allows access in the same scenario......which
is
also kerberos authentiaction?

Is there a problem with kerberos/IIS? is the deployment different?

The problem doesnt exist if i switch the site to NTLM. But corporate
policy
stipulates kerberos should be used.

Any help or insight into this would be awesome!






--
davebrave


.

Relevant Pages

  • Re: OT : Can XP Home be used in office?
    ... It will indeed connect - what it can't be is a *member* of a domain. ... er, yersh, isn't that more or less what this next bit says? ... You also won't be able to use kerberos authentication.. ... 'embraced and extended' it to produce Active Directory authentication. ...
    (uk.rec.motorcycles)
  • Re: Inherited Permissions for Printers
    ... Yes it's possible to inheritance the Security from the ... active directory is child objects to it's host/computer/server. ... > 2000 Advanced Server member servers. ... > servers so that when a member of the domain security group "IT Helpdesk ...
    (microsoft.public.win2000.active_directory)
  • Re: Active Directory Only Displays Local Objects
    ... The SBS Server is the DC. ... up/restore Active Directory and restore it, ... necessitated a reinstall. ... Why can't the computer, which is a member of the domain, see Active ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem with domain name
    ... Single DC on the network. ... So I tried to add the member with this name and it worked. ... properties, under active directory on the DC, etc. ... It sounds like the DNS domain name is 'local" and the NetBIOS domain name ...
    (microsoft.public.windows.server.active_directory)
  • Re: ForestPrep Issues!
    ... not load exchange 2003 server on a production box as ... >the Domain Admins, Schema Admins, Enterprise Admins ... >a member of the Schema Admin and Enterprise Admins group ... >> I have a domain with a single active directory. ...
    (microsoft.public.exchange.setup)