Article ID: 232179 - View products that this article applies to.
This article was previously published under Q232179
The Windows 2000 implementation of the Kerberos Authentication protocol does not require extensive administration or configuration. Because it is the default authentication package, it is installed automatically on all Microsoft Windows 2000-based computers. Except for smart cards, Kerberos is normally an automatic process and you are not required to set it up. There are very few policy choices that can be applied to Kerberos. Network Monitor does not have a built-in parser, and because most Kerberos traffic is encrypted, traces are not very revealing and therefore not very useful. This article describes administration of the Kerberos protocol.
Two utilities are included for Kerberos administration: KerbTray and NetDom.
KerbTrayKerbTray is used to display ticket information for a given computer running the Kerberos protocol. The KerbTray icon is located in the system tray (on the right side of the taskbar) and can be used to view and purge the ticket cache. To use KerbTray, right-click the icon, and then click List Tickets or Purge Tickets. When you are viewing the ticket cache, the following flags map to the Flags column:
Ticket Flag Defaults
NetDomNetDom is a Resource Kit tool for manipulating secure channels between servers to servers and servers to workstations. In Windows 2000, NetDom is a tool that checks for domain servers and trusts. It has been modified to also allow for the resetting of Kerberos transitive trusts.
Kerberos Policy SettingsIn Windows 2000, the Kerberos policy is defined at the domain level and implemented by the domain's Key Distribution Center (KDC). The Kerberos policy is stored in Active Directory as a subset of the attributes of the domain security policy. By default, policy options can be set only by members of the Domain Administrators group.
The Kerberos policy is located in the Default Domain Policy and includes the following options:
Enforce User Logon RestrictionsWhen this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer to verify that the user has the right either to log on locally or to gain access to the computer from the network. It is also a check to ensure that the requesting account is still valid. Verification is optional because the extra step takes time and may slow network access to services. Default value: Enabled.
Maximum Lifetime That a User Ticket Can Be RenewedThis is the maximum lifetime of a ticket (either a TGT or a session ticket, although the policy specifies that this is for a "user ticket"). No ticket can be renewed after this time. Default value: 7 days.
Maximum Service Ticket LifetimeA "service ticket" is a session ticket. Settings are in minutes. The setting must be more than ten minutes and less than the setting for "Maximum user ticket lifetime." Default value: 10 hours.
Maximum Tolerance for Synchronization of Computer ClocksThe KDC server's clock and the Kerberos client's clock have to be synchronized to within a specified number of minutes. If the clocks are not synchronized within the specified number of minutes, tickets are not issued to the client. This is a deterrent in Replay attacks. Settings are in minutes. Default value: 5 minutes.
Maximum User Ticket LifetimeA "user ticket" is a TGT and must be renewed after this time. Default value: 10 hours.