Share via

2.2.2 Kerberos Policy

  • Article

This section defines settings that enable an administrator to configure user logon restrictions, as specified in [RFC1510].

The ABNF for this section MUST be as follows.

 Header = "[" HeaderValue "]" LineBreak
 HeaderValue = "Kerberos Policy"
 Settings = Setting /  Setting Settings
 Setting = Key Wsp "=" Wsp Value LineBreak
 Key = "MaxTicketAge" / "MaxRenewAge" / "MaxServiceAge" / 
       "MaxClockSkew" / "TicketValidateClient"
  
 Value = 1*5DIGIT

The following table provides an explanation for each of the valid key values.

Note All numerical values are decimal unless explicitly specified otherwise or preceded by 0x. Group Policy: Security Protocol Extension implementations SHOULD use the specified default values.

Setting key

Explanation

MaxServiceAge

Maximum amount of time (in minutes) that a granted session ticket MUST be valid to access a service or resource by using Kerberos before it expires. An expired ticket MUST NOT be accepted as a valid ticket for service or resource access. Details about Kerberos ticket authentication are as specified in [RFC1510]. The value MUST be greater than or equal to 10 and less than or equal to the setting for MaxTicketAge. The default is 600 minutes (10 hours).

MaxTicketAge

Maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) MAY be used before it expires. An expired TGT MUST NOT be accepted as a valid TGT. The default is 10 hours. The value MUST be between zero and 99,999.

MaxRenewAge

Period of time (in days) during which a user's TGT can be renewed. A TGT MUST NOT be renewed if it is more than MaxRenewAge days old. The default is 7 days. The value MUST be between zero and 99,999.

MaxClockSkew

MUST be the maximum time difference (in minutes) between the client clock time and the clock time of the server that provides Kerberos v5 authentication, as specified in [RFC1510]. The default is 5 minutes. The value MUST be between zero and 99,999.

TicketValidateClient

A flag that determines whether the Kerberos v5 Key Distribution Center (KDC) MUST validate every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional because the extra step takes time and can slow network access to services. The default is enabled. A nonzero value indicates the policy is enabled; otherwise, the policy is disabled.