Clear computer Kerberos ticket and certificate cache
Anyone who uses groups to assign permissions knows the problem. After the assignment to a new group, this right is not immediately effective. The tip is then usually to re-login. However, if a server is authorized e.g. to a certificate via a group membership, this means a restart of the server.
However, the correct solution is much simpler: deleting the Kerberos ticket and removing the cache entries from the certificate store. After executing the appropriate commands, it is possible to issue the new certificate.
# Clear Computer Kerberos tickets klist -li 0x3e7 purge | Out-Null # Clear certutil cache certutil -f -policyserver * -policycache delete | Out-Null