AD Kerberos policy settings

There are five Kerberos policy settings that are part of the Default Domain policy

  • Enfore user logon restrictions
    • Enabled by default, causes the Key Distribution Center (KDC) to validate every  session ticket request  against the user right policy.
  • Maximum life time for service ticket
    • The maximum time a service ticket is valid to access a particular service. The default is 600 minutes.
  • Maximum lifetime for user ticket
    • The maximum time a Ticket Granting Ticket is valid. Default is 10 hours.
  • Maximum lifetime for user ticket renewal
    • The maximum time that a Ticket Granting Ticket can be renewed. Default is 7 days.
  • Maximum tolerance for computer clock synchronization
    • The maximum time difference allowed between the client time and the domain controller time, if the time difference is more then the maximum then the timestamp is considered non-authentic. Default is 5 minutes.

Leave a Reply