Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

3.3.3 Initialization

Kerberos V5 specifies that all KDCs in a domain MUST have the same key, and the name of the service for the TGS is "krbtgt/domain-name" SPN ([RFC4120] section 6.2).

KILE implementations that use the LSAD for the configuration database load the KDC configuration from the Kerberos Policy Information ([MS-LSAD] section 3.1.1.1). The KDC SHOULD call the LsarQueryDomainInformationPolicy method ([MS-LSAD] section 3.1.4.4.7), and the InformationClass parameter SHOULD be set to the value of PolicyDomainKerberosTicketInformation in order to retrieve the current values. The KDC SHOULD set its configuration settings as follows:

  • MaxRenewAge (section 3.3.1) to the value of the MaxRenewAge field.

  • MaxClockSkew (section 3.3.1) to the value of the MaxClockSkew field.

  • MaxServiceTicketAge (section 3.3.1) to the value of the MaxServiceTicketAge field.

  • MaxTicketAge (section 3.3.1) to the value of the MaxTicketAge field.

  • AuthenticationOptions (section 3.3.1) to the value of the AuthenticationOptions field.

Implementations of KILE KDCs which use an AD for the account database MUST use the krbtgt account in the AD.

If the KDC has a ticket replay cache, it MUST be reset when the KDC starts up.

If the KDC has a ticket cache, the ticket cache MUST be initialized to an empty state.

If the KDC supports:<41>

  • FAST: the KDC SHOULD set the FAST-supported bit on the krbtgt account’s KerbSupportedEncryptionTypes.

  • Claims: the KDC SHOULD set the Claims-supported bit on the krbtgt account’s KerbSupportedEncryptionTypes.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.