KB000011: Users report delays in obtaining just-in-time access via AD

Summary

Users may report a delay in between being granted (just-in-time) JIT access via the web app, and the access seemingly being available.

Cause

There are several possible causes for delayed JIT access.

The user needs to log off and log back on Windows only calculates group membership at logon. This means that for a user to be seen as a member of the local administrators group, they need to log onto a brand new session. There is no way for windows to force a group membership update otherwise.
Cross-site replication delays Active Directory has a default inter-site replication delay on 15 minutes. This means changes between domain controllers across sites is only replicates once every 15 minutes, at most. This delay can be longer if there are more sites downstream that need to be replicated to, or if the replication has been set to happen only at scheduled times.
Access Manager will always try and find a DC in the same site as the computer that is being JIT'd into. However, if there is no DC in the site, or AMS cannot correctly determine the site, AMS will use a DC from it's own site to make the change.
1. You can improve the site discovery process by installing the Access Manager agent on your devices. The agent will report its connected DC to the AMS server regularly.
2. If the AMS server can contact the target computer via SMB (TCP 445), it can ask the computer what domain controller it is using.
3. You can use authorization rules to specify which site or DC should be targeted for any give rule. If you have an OU of computers that are always in a specific OU, you can update the computer authorization rule to specify the site or DC that should be used.

Further Troubleshooting

The access-manager-webapp.log log file contains information about the DC location decision making process. You can perform a JIT operation, locate the relevant section of the log and look for DCLocator events, which will indicate the DC that was chosen for the JIT operation and why.

PreviousKB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)NextKB000012: Troubleshooting Windows authentication in the Access Manager Web App

Last updated 5 months ago

Was this helpful?

Cause

There are several possible causes for delayed JIT access.

The user needs to log off and log back on Windows only calculates group membership at logon. This means that for a user to be seen as a member of the local administrators group, they need to log onto a brand new session. There is no way for windows to force a group membership update otherwise.

Cross-site replication delays Active Directory has a default inter-site replication delay on 15 minutes. This means changes between domain controllers across sites is only replicates once every 15 minutes, at most. This delay can be longer if there are more sites downstream that need to be replicated to, or if the replication has been set to happen only at scheduled times.

Access Manager will always try and find a DC in the same site as the computer that is being JIT'd into. However, if there is no DC in the site, or AMS cannot correctly determine the site, AMS will use a DC from it's own site to make the change.

You can improve the site discovery process by installing the Access Manager agent on your devices. The agent will report its connected DC to the AMS server regularly.
If the AMS server can contact the target computer via SMB (TCP 445), it can ask the computer what domain controller it is using.
You can use authorization rules to specify which site or DC should be targeted for any give rule. If you have an OU of computers that are always in a specific OU, you can update the computer authorization rule to specify the site or DC that should be used.