7.11. Active Directory® Resynchronization¶
One of the great strengths of IDERI note is its deep integration into Active Directory®, the Windows middleware frameworks such as MS Remote Procedure Calls and Windows integrated security. The proper combination of these technologies in both the server side part of IDERI note as well as its client side makes it possible to run the IDERI note client with Windows single sign-on capabilities after a user login, with the IDERI note client running on behalf of the logged-in user and authenticating with the logged-in user’s identity across the network against the IDERI note server.
Active Directory® resynchronization for the hasty reader
Active Directory® resynchronization makes it possible for IDERI note clients that are already connected to their IDERI note server to utilize changes in their Active Directory® group membership for message retrieval even if those changes have been performed after user login or connection establishment with the IDERI note server.
In order for an Active Directory® resynchronization to have an effect on clients that are already connected to their IDERI note server and on newly created messages, the following operations should be performed in exactly this order:
- First make your changes in Active Directory®.
- Next, perform the client resynchronization from within IDERI note administrator.
- As the last step, create new messages that should utilize the updated client group membership information.
For in-depth information on Active Directory® resynchronization in IDERI note, continue reading in the following sections:
7.11.2. Kerberos ticket cache and stale logon session information¶
The IDERI note client, when authenticating across the network against the IDERI note server, uses the builtin facilities of the underlying middleware protocol being used for the connection, which is MS RPC. Part of this authentication and logon process is the creation of a network logon session on the IDERI note server for each client connection. This network logon session contains information about the identity of the Active Directory® security principal (Active Directory® user or computer) running the client, and the Active Directory® group membership of it. Both these types of information determine whether a new message should be displayed to the user. The Active Directory® group membership of the security principal is determined at the very moment where the user starts an interactive logon session with the Active Directory® user credentials, thus populating the “Kerberos ticket cache” of the interactive client logon session. Whenever a program running in this logon session is now performing an authenticated and outbound network request, integrated windows security will present this Kerberos ticket cache to the network resource in a secure manner and the network resource will use this previously cached information in order to determine what type of access to grant for that program’s network request. In this respect, the IDERI note client behaves no different than other programs, such as e.g. explorer.exe when mapping a network drive. There is no builtin mechanism in integrated windows security to always present the most current Active Directory® group membership information to a remote resource as this would lead to excessive network load between the client and its Domain Controller for each and every authenticated network connection the client initiates. For most scenarios in an Active Directory® environment, this scheme with using cached information from the Kerberos Ticket Cache has proven to be a good compromise between performance and accuracy of group resolution, given the fact that Active Directory® group membership changes are usually only done after careful evaluation of the consequences at a low frequency in comparison with the usual length of a client logon session.
However, this scheme comes at the cost of less flexibility when it comes to dynamic changes in Active Directory® group membership after IDERI note clients have already connected to their IDERI note server. Such changes will usually only be reflected to the client’s network logon session on the IDERI note server if the user logs out and logs in again, so the client’s previous network logon session on the server is closed and created anew, this time with the Kerberos ticket cache being updated during the principal’s interactive logon process, after providing the principal’s Active Directory® credentials anew. For users of the IDERI note Administrator this makes it difficult to apply ad-hoc changes to Active Directory® group membership information of users and afterwards create or change IDERI note messages with the expectance that these recent changes in Active Directory® will have any effect on message reception and delivery for currently connected clients. We will illustrate this dilemma with a simple example:
Consider the scenario from chapter 4.2 and 4.5 where we have sent a number of IDERI note messages to our fictitious user Albert Tross. Now imagine that while the IDERI note client of Albert Tross is already connected to the IDERI note server running on the member server sv01.note.dev, a new Active Directory® group named “IDERI note users” is created with Albert Tross being a member of it. After creation of the group, a new IDERI note message is created which is destined to the new group named “IDERI note users”. But the IDERI note client program running on the desktop of Albert Tross, will not show this new message, after its polling interval elapses. What is going on here?
What we see in this example are the effects of a stale Kerberos ticket cache associated with the interactive logon session of Albert Tross. Since the group membership information from the Kerberos ticket cache has been presented to the IDERI note server prior to the changes in Active Directory® group membership, the IDERI note server doesn’t know anything about those changes and will therefore not send the message information to the desktop of Albert Tross.
7.11.3. Purging the Kerberos ticket cache from IDERI note administrator¶
In order for the IDERI note server to work with updated information about the Active Directory® group membership of Albert Tross, a number of things must happen:
- The current network logon session of Albert Tross on the IDERI note server needs to be closed.
- Some process running in the interactive logon session of Albert Tross on the client computer has to invalidate (“purge”) that logon session’s Kerberos ticket cache and create it anew with the most up-to-date information to be retrieved from the Domain Controller.
- The IDERI note client process running in the interactive logon session of Albert Tross needs to recreate its network logon session with its IDERI note server, this time presenting the updated Kerberos ticket cache to the server. In our fictitious example this would include the new group membership of Albert Tross in the Active Directory® group “IDERI note users”.
All of these steps are performed automatically when pressing the ribbon button labeled “Resynchronize Clients with AD” on the “Home - Clients” ribbon field of IDERI note Administrator. Pressing this ribbon button however does not instantaneously perform any communication with the clients connected with the IDERI note server. Instead, it will only “mark” the currently connected client information on the IDERI note server as a connection that requires an Active Directory® resynchronization, which makes this operation very fast. Now if the polling interval elapses for any such client whose connection is marked to require an Active Directory® resynchronization, the client will try to perform an update of its message state as usual, not knowing that the server considers it as requiring an Active Directory® resynchronization. The server however will now refuse to update the client’s state and will instead return a special error code to the client, indicating that the client should perform the steps outlined above: Close the current session to the IDERI note server, purge the Kerberos ticket cache and finally reconnect to the IDERI note server. After the client has performed these steps, it will have a network logon session on the IDERI note server with its most up-to-date Active Directory® group membership information. Returning to our example above with the newly created group “IDERI note users”, the message destined to this group is shown on the desktop of Albert Tross, if the resynchronization of the IDERI note clients from within IDERI note administrator is performed after the change in the Active Directory® group membership of Albert Tross, but prior to creation of the message destined to the new group.
Purging the Kerberos ticket cache first and foremost only works for clients running in a fully functional Kerberos environment. This precludes pure workgroup environments as well as client connections that for any reason use NTLM as the authentication protocol. In addition, purging the Kerberos client cache affects only outbound connections from the perspective of the computer running the IDERI note client program. As a consequence, if an IDERI note client is running on the same computer as the IDERI note server, purging the Kerberos ticket cache will not have the desired effect of creating the most up-to-date client group membership information because under the hood, the client will implicitly make a local connection to its IDERI note server, not an outbound connection. In this scenario, there is no other way for clients to update their group membership information on the IDERI note server than to log out and log in again.
Another limitation comes into play when pushing alert messages to clients after resynchronizing them with Active Directory®. When performing a message push operation in IDERI note, the client is only advised to perform a state information update with its IDERI note server ahead of time, so the client pulls its most current state from its server prior to the polling interval to elapse. So in this case, only those clients are advised to perform a state information update, that are considered by the server to be legitimate recipients prior to any group membership changes in Active Directory®. In our example above, where a new group is created and Albert Tross is made a member of this group, pushing the message to the new group after performing the Active Directory® client resynchronization will result in the new message being displayed to Albert Tross, but only after the polling interval elapses for the IDERI note client running on the desktop of Albert Tross.
7.11.5. Effects of purging the Kerberos ticket cache on other processes¶
Purging the Kerberos ticket cache only affects newly created outbound connections that are authenticated using integrated windows security mechanisms. Existing outbound connections or already open network resources are not affected.
Since this feature can lead to much more traffic between client computers and their domain controller and will also affect the performance of the IDERI note server itself, with all connected clients disconnect and reconnect, its usage is governed by a security descriptor that can be viewed and changed from the ribbon button labeled “AD Synchronization” in the “Security” section of the “Settings” ribbon tab. By default, only administrators of the IDERI note server have the access rights to perform an Active Directory® client resynchronization, but this can easily be adapted using the security user interface on this ribbon button. The access right that allows or denies the ability to perform an Active Directory® client resynchronization is named “Resynchronize Clients with AD”.