Microsoft KB Archive/231849

= Description of Kerberos Policies in Windows 2000 =

Article ID: 231849

Article Last Modified on 2/26/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q231849



SUMMARY
In Windows 2000, Kerberos policy is defined at the domain level and implemented by the domain's Key Distribution Center (KDC). Kerberos policy is stored in Active Directory as a subset of the attributes of a domain security policy. By default, policy options can only be set by members of the Domain Administrators group.



Enforce User Logon Restrictions
When this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer to verify that the user has the right either to log on locally or to access the computer from the network. It is also a check to ensure the requesting account is still valid. Verification is optional because the extra step takes time and may slow network access to services. The default is Enabled.

Maximum Lifetime That a User Ticket Can Be Renewed
This is the maximum lifetime of a ticket [either a Ticket Granting Ticket (TGT) or a session ticket, although the policy specifies this is for a "user ticket"]. No ticket can be renewed after this time. Default value: 7 days.

Maximum Service Ticket Lifetime
A "service ticket" is a session ticket. Settings are in minutes. The setting must be more than ten minutes and less than the setting for "Maximum user ticket lifetime." Default value: 10 hours.

Maximum Tolerance for Synchronization of Computer Clocks
When the KDC clock is this many minutes different from the Kerberos client's clock, tickets are not issued for the client. This is a deterrent in Replay attacks. Settings are in minutes. Default value: 5 minutes.

Maximum User Ticket Lifetime
A "user ticket" is a TGT and must be renewed after this time. Default value: 10 hours.

Viewing or Modifying Values
To view and make changes to these values:
 * 1) Start the Microsoft Management Console (MMC).
 * 2) Add the Group Policy snap-in for the default domain policy. To do this, click Browse when you are prompted to select a Group Policy Object (GPO) and then click Default Domain Policy.
 * 3) Double-click to open the following sections: Computer Configuration; Windows Settings; Security Settings; Account Policies; Kerberos Policy.
 * 4) Make changes as needed, but proceed with caution.

Keywords: kbenv kbinfo KB231849

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.