Specify Credential Cache Type for AD Users

Specify the type of Kerberos credential cache that adclient will create when an Active Directory user logs in. You can specify a file-based or in-memory-based credential cache.

The use of in-memory credential caches is not supported on Mac OS X computers, therefore applying this group policy setting to a Mac OS X computer has no effect.

To specify the type of cache to create, click Enabled, then select the type of cache from Kerberos credential cache type.

If you select File-based credential cache, the Delinea Agent creates a file-based credential cache for each Active Directory user in /tmp when the user logs in. A file-based credential cache persists until the file is deleted.

If you select In-memory credential cache provided by Delinea-KCM service, the Delinea Agent creates an in-memory credential cache for each Active Directory user when the user logs in. The Centrify-KCM service, run as root, manages in-memory credential caches. When the adclient process starts up, if the policy is configured for an in-memory credential cache, adclient starts the KCM service. If you change the setting from file-based to in-memory while adclient is running, adclient starts the KCM service the next time it is forced to reload configuration parameters, for example, if you run the adgpupdate command to update group policy settings, or if a user opens a new session.

Setting this parameter affects new users only — not users who have already logged in. For example, if you change from a file-based, to an in-memory credential cache, Direct Control will continue to use the file-based credential cache for any user who was logged in at the time of the change. If a logged in user opens a new session, or a new user logs in, the agent will use an in-memory cache for them.

An in-memory credential cache ends as soon as the Centrify-KCM service is stopped.

This group policy modifies the krb5.cache.type setting in the agent configuration file.