Tip

Simple Kerberos configuration

Windows 2000, Windows XP and Windows Server 2003 use Kerberos to protect the logon credentials users provide. It serves no other purpose than to protect authentication

Requires Free Membership to View

traffic. The protected traffic could be between clients and domain controllers (which serve as a distributed KDCs (Key Distribution Centers), between clients and servers or between servers and the KDC.

For most situations, the default configuration of Kerberos is suitable. However, if you want to improve your security setup there are at least five configuration settings you can adjust in Group Policy. If you plan on changing these settings, test them on a non-production lab network first before implementing them on your production network.

The controls are located in the Computer Configuration section of group policy under Windows Settings, Security Settings, Account Policies, Kerberos Policies. The five configurable variables are:

Enforce user logon restrictions – this setting determines whether the KDC validates every session ticket (TGT) request against the users' authorization. This setting is enabled by default and since it improves security, don't alter it.

Maximum lifetime for service ticket – this setting controls the lifetime of service tickets (ST). The default setting is 600 minutes. Reducing this setting will reduce the likelihood that the ST will be used for impersonation to access resources. But it will require more frequent requests for STs on behalf of users. A value above 240 minutes will prevent too much additional burden on most DCs.

Maximum lifetime for user ticket - This setting controls the lifetime of session tickets (TGT). The default setting is 10 hours. Reducing this setting will reduce the likelihood that the TGT will be used for impersonation to access resources. But it will require more frequent requests for TGTs on behalf of users. A value of four hours will prevent too much additional burden on most DCs.

Maximum lifetime for user ticket renewal – This setting controls how long after a TGT expires a user can request a renewal without a completely new session key. The default setting is seven days. Shorten this value to require more frequent replacements of the session keys. A value above two days will prevent too much additional burned on most DCs.

Maximum tolerance for computer clock synchronization – this setting controls how much difference between the DCs clock and the client's clock can exist before Kerberos activities are prevented. The default value of five minutes is usually ideal. I don't recommend altering this value. Lengthening this value opens additional vulnerabilities of compromising ticket requests.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


 

This was first published in October 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.