The information in this article applies to:
SUMMARYIn Windows 2000, Kerberos policy is defined at the domain level and implemented by the domain's Key Distribution Center (KDC). Kerberos policy is stored in Active Directory as a subset of the attributes of a domain security policy. By default, policy options can only be set by members of the Domain Administrators group. MORE INFORMATIONKerberos PoliciesEnforce User Logon RestrictionsWhen this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer to verify that the user has the right either to log on locally or to access the computer from the network. It is also a check to ensure the requesting account is still valid. Verification is optional because the extra step takes time and may slow network access to services. The default is Enabled.Maximum Lifetime That a User Ticket Can Be RenewedThis is the maximum lifetime of a ticket [either a Ticket Granting Ticket (TGT) or a session ticket, although the policy specifies this is for a "user ticket"]. No ticket can be renewed after this time. Default value: 7 days.Maximum Service Ticket LifetimeA "service ticket" is a session ticket. Settings are in minutes. The setting must be more than ten minutes and less than the setting for "Maximum user ticket lifetime." Default value: 10 hours.Maximum Tolerance for Synchronization of Computer ClocksWhen the KDC clock is this many minutes different from the Kerberos client's clock, tickets are not issued for the client. This is a deterrent in Replay attacks. Settings are in minutes. Default value: 5 minutes.Maximum User Ticket LifetimeA "user ticket" is a TGT and must be renewed after this time. Default value: 10 hours.Viewing or Modifying ValuesTo view and make changes to these values:
Additional query words:
Keywords : kbenv |
Last Reviewed: December 29, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |