What are Active Directory Kerberos Policies?
Kerberos remains the default authentication protocol in the active directory environment. There are five kerberos policies that directly relate to active directory authentication. These policies are supposed to be configured at the default domain level. Let’s walk through each of these policies in brief.
1. Enforce User Logon Restriction – The policy ensures that every user who requests for a user ticket is validated against the user rights settings on the target computer. A user ticket (TGT) is a certificate issued by Active Directory (KDC) that allows user to request service ticket. The user must either have “allow logon locally” or “access this computer from the network” rights on the target computer. This policy is enabled by default.
2. Maximum life time for Service Ticket – Defines the maximum time the service ticket stands valid. The default value is set to 600 mins. You can set service tickets to never expire by setting the value to zero.
3. Maximum life time for user ticket – Specifies the time for which the user ticket stands valid. Default value is 10 hours that is equal to default life time of service tickets. If set to zero, user ticket would never expire.
4. Maximum lifetime for user ticket renewal – AD DS can renew a user ticket (ticket granting ticket) when it nears the end of its validity period. This policy determines the time (in days) during which a user ticket (TGT) may be renewed. Default is seven days.
5. Maximum tolerance for computer clock synchronization – The policy determines the maximum time difference that can exist between the time on client computer and the time on the authenticating domain controller.It should be notes that Computers measure this difference in universal time rather than using local time zone settings. The default is 5 mins.
Although the default policy settings are appropriate for most of the environments, these policies can be made more stringent by decreasing user and service ticket lifetimes. However on the other side this creates more processing load on the domain controller.
Peculiar article, just what I was looking for.
Appreciate this post. Let me try it out.
Hi, I wish for to subscribe for this blog to take most
recent updates, so where can i do it please help.
I have been using it for long time with the default settings.
I’ll try to figure out if I can enable the subscribe button from somewhere.:-)
I’m not that much of a online reader to be honest but your blogs really nice, keep it up!
I’ll go ahead and bookmark your website to come back later.
Thank you, I have just been searching for info about this subject for a long time and yours is the best I’ve found
out till now. However, what concerning the bottom line? Are you positive concerning the source?
Pingback: GPO – Password and Account Lockout Policy | Wintel Geeks
Excellent post however I was wanting to know if you could write a litte more
on this topic? I’d be very grateful if you could elaborate a little
bit further. Appreciate it!
You can always refer my “Kerberos in Windows” (https://wintelgeeks.com/2013/04/26/68/) article which eleborates on functionality of the protocol.
Hi there! I recently wished to ask should you ever possess
problems with hackers? My last blog (wordpress) was hacked
and that i wound up losing months of hard work as a result of no support.
Do you possess any solutions to control hackers?