Browser TGT Caching Fix

TL;DR

Browsers can cache Kerberos Ticket Granting Tickets (TGTs), leading to authentication issues after password changes or account lockouts. This guide explains how to clear these cached tickets in common browsers.

Clearing Cached TGTs

1. Understand the Problem: When you log into a Kerberos-enabled system, your browser receives a TGT. This ticket allows you to access other services without re-entering your credentials. Browsers store these tickets for performance reasons. If your password changes or your account is locked, the cached TGT becomes invalid but remains in the browser, causing authentication failures.
2. Google Chrome/Edge:
   • Open Chrome DevTools (right-click on the page and select ‘Inspect’, or press F12).
   • Go to the ‘Application’ tab.
   • Expand ‘Storage’ in the left sidebar.
   • Select ‘Cookies’.
   • Search for cookies related to your Kerberos realm (e.g., YOURREALM, or domain names associated with your authentication server).
   • Delete all relevant cookies.
   • Clear browser cache: Press Ctrl+Shift+Del (or Cmd+Shift+Del on macOS), select ‘Cached images and files’, and click ‘Clear data’.
3. Mozilla Firefox:
   • Open Firefox DevTools (right-click on the page and select ‘Inspect Element’).
   • Go to the ‘Storage’ tab.
   • Expand ‘Cookies’.
   • Search for cookies related to your Kerberos realm.
   • Delete all relevant cookies.
   • Clear browser cache: Press Ctrl+Shift+Del, select ‘Cache’, and click ‘Clear Now’.
4. Safari (macOS):
   • Enable the Develop menu: Safari > Preferences > Advanced > Show Develop menu in menu bar.
   • Open Develop > Empty Caches.
   • Clear History: Safari > Clear History… Choose ‘all history’ and click ‘Clear History’.
5. Internet Explorer/Microsoft Edge (Legacy):
   • Go to Internet Options (gear icon in the top-right corner).
   • Select the ‘Privacy’ tab.
   • Under ‘Cookies’, click ‘Delete’.
   • Check ‘Temporary Internet files and website files’ and ‘Cookies and website data’.
   • Click ‘Delete’.
6. Verify the Fix: After clearing the cache, try accessing the Kerberos-enabled service again. You should be prompted for your new credentials.
7. Command Line (for advanced users): In some cases, you might need to flush the Kerberos ticket cache at the operating system level. This is less common when dealing with browser caching but can be helpful in complex scenarios.

   kdestroy

   This command will destroy all current Kerberos tickets.

8. Restart Browser: After clearing cookies and cache, completely close and restart your browser. This ensures that the changes take effect.