KDC Configuration Changes

If an implementation supports multiple KDCs for a realm, then it SHOULD have a mechanism for keeping the KDC configuration database consistent across all the KDCs. KDC configuration change details are determined by the implementation.

When KILE implementations that use the LSAD for the configuration database receive a KDC ConfigurationChange event, the KDC SHOULD call the LsarQueryDomainInformationPolicy method ([MS-LSAD] section The InformationClass parameter SHOULD be set to the value of PolicyDomainKerberosTicketInformation in order to retrieve the current values. The KDC SHOULD set its configuration settings as follows:

  • MaxRenewAge (section 3.3.1) to the value of the MaxRenewAge field.

  • MaxClockSkew (section 3.3.1) to the value of the MaxClockSkew field.

  • MaxServiceTicketAge (section 3.3.1) to the value of the MaxServiceTicketAge field.

  • MaxTicketAge (section 3.3.1) to the value of the MaxTicketAge field.

  • AuthenticationOptions (section 3.3.1) to the value of the AuthenticationOptions field.