There are five Kerberos policy settings that are part of the Default Domain policy
- Enfore user logon restrictions
- Enabled by default, causes the Key Distribution Center (KDC) to validate every session ticket request against the user right policy.
- Maximum life time for service ticket
- The maximum time a service ticket is valid to access a particular service. The default is 600 minutes.
- Maximum lifetime for user ticket
- The maximum time a Ticket Granting Ticket is valid. Default is 10 hours.
- Maximum lifetime for user ticket renewal
- The maximum time that a Ticket Granting Ticket can be renewed. Default is 7 days.
- Maximum tolerance for computer clock synchronization
- The maximum time difference allowed between the client time and the domain controller time, if the time difference is more then the maximum then the timestamp is considered non-authentic. Default is 5 minutes.