Kerberos Policy

In Windows 2000, Kerberos ticket policy is defined at the domain level and implemented by the domain's KDC. Kerberos policy is stored in the Active Directory as a subset of the attributes of domain security policy. By default, policy options can be set only by members of the Domain Administrators group. Domain policy includes options to:

• Allow postdated tickets
• Allow forwardable tickets
• Allow renewable tickets
• Set maximum ticket age
• Set maximum renewal age
• Set maximum proxy ticket age
• Forcibly log off users when tickets expire

Although Kerberos policy for a domain may permit delegated authentication by allowing tickets to be forwarded, that aspect of policy need not apply to all users or all computers. An attribute of an individual user account can be set to disable forwarding of that user's credentials by any server. An attribute of an individual computer's account can be set to disable forwarding of credentials from any user. In both cases, delegation can be disabled by creating a group policy to apply to all users or all computers in an organizational unit of the Active Directory.