Recipe 14.19 Modifying Kerberos Settings
14.19.1 Problem
You want to modify the default Kerberos
settings
that define things, such as maximum ticket lifetime.
14.19.2 Solution
14.19.2.1 Using a graphical user interface
Open the Domain Security Policy snap-in. In the left pane, expand Account Policies Kerberos Policy. In the right pane, double-click on the setting you want to modify. Enter the new value and click OK.
14.19.3 Discussion
There are several Kerberos-related settings you can customize. In
most environments, the default settings are sufficient, but the ones
you can modify are listed in Table 14-1.
|
Change the default settings with caution as it could cause
operational problems and compromise security if done incorrectly.
|
|
Table 14-1. Kerberos policy settings|
Enforce user logon restrictions
|
Enabled
|
Maximum lifetime for service ticket
|
600 minutes
|
Maximum lifetime for user ticket
|
10 hours
|
Maximum lifetime for user ticket renewal
|
7 days
|
Maximum tolerance for computer clock synchronization
|
5 minutes
|
14.19.4 See Also
MS KB 231849 (Description of Kerberos Policies
in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows
2000)
|