2.2.2 Kerberos Policy
This section defines settings that enable an administrator to configure user logon restrictions, as specified in [RFC1510].
The ABNF for this section MUST be as follows.
-
Header = "[" HeaderValue "]" LineBreak HeaderValue = "Kerberos Policy" Settings = Setting / Setting Settings Setting = Key Wsp "=" Wsp Value LineBreak Key = "MaxTicketAge" / "MaxRenewAge" / "MaxServiceAge" / "MaxClockSkew" / "TicketValidateClient" Value = 1*5DIGIT
The following table provides an explanation for each of the valid key values.
Note All numerical values are decimal unless explicitly specified otherwise or preceded by 0x. Group Policy: Security Protocol Extension implementations SHOULD use the specified default values.
|
Setting key |
Explanation |
|---|---|
|
MaxServiceAge |
Maximum amount of time (in minutes) that a granted session ticket MUST be valid to access a service or resource by using Kerberos before it expires. An expired ticket MUST NOT be accepted as a valid ticket for service or resource access. Details about Kerberos ticket authentication are as specified in [RFC1510]. The value MUST be greater than or equal to 10 and less than or equal to the setting for MaxTicketAge. The default is 600 minutes (10 hours). |
|
MaxTicketAge |
Maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) MAY be used before it expires. An expired TGT MUST NOT be accepted as a valid TGT. The default is 10 hours. The value MUST be between zero and 99,999. |
|
MaxRenewAge |
Period of time (in days) during which a user's TGT can be renewed. A TGT MUST NOT be renewed if it is more than MaxRenewAge days old. The default is 7 days. The value MUST be between zero and 99,999. |
|
MaxClockSkew |
MUST be the maximum time difference (in minutes) between the client clock time and the clock time of the server that provides Kerberos v5 authentication, as specified in [RFC1510]. The default is 5 minutes. The value MUST be between zero and 99,999. |
|
TicketValidateClient |
A flag that determines whether the Kerberos v5 Key Distribution Center (KDC) MUST validate every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional because the extra step takes time and can slow network access to services. The default is enabled. A nonzero value indicates the policy is enabled; otherwise, the policy is disabled. |