What are Active Directory Kerberos Policies?
Kerberos remains the default authentication protocol in the active directory environment. There are five kerberos policies that directly relate to active directory authentication. These policies are supposed to be configured at the default domain level. Let’s walk through each of these policies in brief.
1. Enforce User Logon Restriction – The policy ensures that every user who requests for a user ticket is validated against the user rights settings on the target computer. A user ticket (TGT) is a certificate issued by Active Directory (KDC) that allows user to request service ticket. The user must either have “allow logon locally” or “access this computer from the network” rights on the target computer. This policy is enabled by default.
2. Maximum life time for Service Ticket – Defines the maximum time the service ticket stands valid. The default value is set to 600 mins. You can set service tickets to never expire by setting the value to zero.
3. Maximum life time for user ticket – Specifies the time for which the user ticket stands valid. Default value is 10 hours that is equal to default life time of service tickets. If set to zero, user ticket would never expire.
4. Maximum lifetime for user ticket renewal – AD DS can renew a user ticket (ticket granting ticket) when it nears the end of its validity period. This policy determines the time (in days) during which a user ticket (TGT) may be renewed. Default is seven days.
5. Maximum tolerance for computer clock synchronization – The policy determines the maximum time difference that can exist between the time on client computer and the time on the authenticating domain controller.It should be notes that Computers measure this difference in universal time rather than using local time zone settings. The default is 5 mins.
Although the default policy settings are appropriate for most of the environments, these policies can be made more stringent by decreasing user and service ticket lifetimes. However on the other side this creates more processing load on the domain controller.