Product: TIBCO Spotfire®
Script To Purge All Kerberos Tickets
There are situations where an administrator may want to clear the cached Kerberos tickets on a server. For example, user Bob left the company. Bob had access to sensitive data on a server. The first thing to do is to disable Bob’s Active Directory user account so no further Kerberos tickets or other access can be granted for that identity.
But what about existent Kerberos tickets? In the unlikely event that Bob had retained access and a live session on a computer, those tickets will be around for hours.
One solution would be to reboot the computers in the environment. This would clear the Kerberos tickets from all session caches. However, rebooting a server is not always allowed in an impromptu way, and in some cases the server needs to be available 24x7.
In situations like that you can run this script to clear all cached Kerberos tickets and TGTs for all sessions on the computer. For clients and servers that are able to reach a domain controller this should not have any user or application perceived change, since the needed tickets will simply be requested anew behind the scenes with no user interruption. Some complex Kerberos delegation cases may see an interruption of service from middle tier servers if this action is done; however, a new client to middle tier server connection should resolve the concern. Testing with purging tickets in the specific application and scenario is recommended.Download the PurgeAllKerbTickets.ps1 file attached here, then launch a Windows PowerShell as an administrator, navigate to the folder where the file was just downloaded, and run the following command to execute the script:
Note: If you encounter an error that says
"script cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details."
then execute the following command first in the PowerShell window:
set-executionpolicy remotesigned (Type in YES and press enter to confirm)
When running the script, it will give the following warning:
WARNING: This script will purge all cached Kerberos tickets on the local computer for all sessions (whether interactive, network or other sessions). In a well-connected environment clients will request and obtain Kerberos tickets on demand without interruption. If not well-connected to a domain controller (remote network) then further network resource authentication may fail or use NTLM if tickets are purged.
Confirm whether to purge by entering YES If the user chooses to type anything other than ‘YES’ (case insensitive) they will see the following response:
Confirmation not received. NOT purging tickets.
If the user chooses YES the server will loop through all session caches and purge tickets. Once finished the following text is displayed:
All tickets purged!