Article ID: 231849 - Last Review: February 26, 2007 - Revision: 2.2

Description of Kerberos Policies in Windows 2000

View products that this article applies to.
This article was previously published under Q231849

On This Page

Expand all | Collapse all

SUMMARY

In Windows 2000, Kerberos policy is defined at the domain level and implemented by the domain's Key Distribution Center (KDC). Kerberos policy is stored in Active Directory as a subset of the attributes of a domain security policy. By default, policy options can only be set by members of the Domain Administrators group.
Back to the top

MORE INFORMATION

Kerberos Policies

Enforce User Logon Restrictions

When this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer to verify that the user has the right either to log on locally or to access the computer from the network. It is also a check to ensure the requesting account is still valid. Verification is optional because the extra step takes time and may slow network access to services. The default is Enabled.

Maximum Lifetime That a User Ticket Can Be Renewed

This is the maximum lifetime of a ticket [either a Ticket Granting Ticket (TGT) or a session ticket, although the policy specifies this is for a "user ticket"]. No ticket can be renewed after this time. Default value: 7 days.

Maximum Service Ticket Lifetime

A "service ticket" is a session ticket. Settings are in minutes. The setting must be more than ten minutes and less than the setting for "Maximum user ticket lifetime." Default value: 10 hours.

Maximum Tolerance for Synchronization of Computer Clocks

When the KDC clock is this many minutes different from the Kerberos client's clock, tickets are not issued for the client. This is a deterrent in Replay attacks. Settings are in minutes. Default value: 5 minutes.

Maximum User Ticket Lifetime

A "user ticket" is a TGT and must be renewed after this time. Default value: 10 hours.
Back to the top

Viewing or Modifying Values

To view and make changes to these values:
  1. Start the Microsoft Management Console (MMC).
  2. Add the Group Policy snap-in for the default domain policy. To do this, click Browse when you are prompted to select a Group Policy Object (GPO) and then click Default Domain Policy.
  3. Double-click to open the following sections: Computer Configuration; Windows Settings; Security Settings; Account Policies; Kerberos Policy.
  4. Make changes as needed, but proceed with caution.
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Back to the top
Keywords: 
kbenv kbinfo KB231849
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers