O'Reilly logo

Active Directory Cookbook by Robbie Allen

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

14.19. Modifying Kerberos Settings

Problem

You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime.

Solution

Using a graphical user interface

  1. Open the Domain Security Policy snap-in.

  2. In the left pane, expand Account Policies Kerberos Policy.

  3. In the right pane, double-click on the setting you want to modify.

  4. Enter the new value and click OK.

Discussion

There are several Kerberos-related settings you can customize. In most environments, the default settings are sufficient, but the ones you can modify are listed in Table 14-1.

Warning

Change the default settings with caution as it could cause operational problems and compromise security if done incorrectly.

Table 14-1. Kerberos policy settings

Setting

Default value

Enforce user logon restrictions

Enabled

Maximum lifetime for service ticket

600 minutes

Maximum lifetime for user ticket

10 hours

Maximum lifetime for user ticket renewal

7 days

Maximum tolerance for computer clock synchronization

5 minutes

See Also

MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows 2000)

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required