September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
14.19. Modifying Kerberos Settings
Problem
You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime.
Solution
Using a graphical user interface
Open the Domain Security Policy snap-in.
In the left pane, expand Account Policies → Kerberos Policy.
In the right pane, double-click on the setting you want to modify.
Enter the new value and click OK.
Discussion
There are several Kerberos-related settings you can customize. In most environments, the default settings are sufficient, but the ones you can modify are listed in Table 14-1.
Warning
Change the default settings with caution as it could cause operational problems and compromise security if done incorrectly.
Table 14-1. Kerberos policy settings
|
Setting |
Default value |
|---|---|
|
Enforce user logon restrictions |
Enabled |
|
Maximum lifetime for service ticket |
600 minutes |
|
Maximum lifetime for user ticket |
10 hours |
|
Maximum lifetime for user ticket renewal |
7 days |
|
Maximum tolerance for computer clock synchronization |
5 minutes |
See Also
MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows 2000)