14.19. Modifying Kerberos Settings
Problem
You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime.
Solution
Using a graphical user interface
Open the Domain Security Policy snap-in.
In the left pane, expand Account Policies → Kerberos Policy.
In the right pane, double-click on the setting you want to modify.
Enter the new value and click OK.
Discussion
There are several Kerberos-related settings you can customize. In most environments, the default settings are sufficient, but the ones you can modify are listed in Table 14-1.
Warning
Change the default settings with caution as it could cause operational problems and compromise security if done incorrectly.
Table 14-1. Kerberos policy settings
Setting |
Default value |
---|---|
Enforce user logon restrictions |
Enabled |
Maximum lifetime for service ticket |
600 minutes |
Maximum lifetime for user ticket |
10 hours |
Maximum lifetime for user ticket renewal |
7 days |
Maximum tolerance for computer clock synchronization |
5 minutes |
See Also
MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows 2000)
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.