Shulou(Shulou.com)06/01 Report--

Editor to share with you the configuration analysis of Kerberos strategy, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

The Kerberos policy is used for domain user accounts to determine Kerberos-related settings, such as ticket expiration and enforcement. However, the Kerberos policy can only be applied to computers in the domain. To set the Kerberos policy, in the default Domain Security Settings window, select the Windows Settings → security settings → account policy → Kerberos policy option.

(1) the maximum life of a service ticket

This policy is used to set the maximum time (in minutes) to determine how long a specific service can be accessed using the granted session ticket. This setting must be greater than 10 minutes and less than or equal to the user ticket maximum life setting.

If the session ticket presented when the client requests the server to connect has expired, the server returns an error message. The client must request a new session ticket from Kerberos V5 key Distribution Center (KDC). However, once the connection is authenticated, it does not matter whether the session ticket is still valid. The session ticket is used only to verify a new connection to the server. If the session ticket used to verify the connection expires at the time of the connection, the current operation is not interrupted.

Open the Service ticket maximum Life Properties dialog box, select the define this policy setting check box (figure 17-35), and then set the maximum time. Several other policies operate in the same way.

Figure 17-35 "Service ticket maximum Life Properties" dialog box

This policy is used to set the maximum difference in minutes between the client clock allowed by KerberosV5 and the time on the Windows Server 2003 domain controller that provides Kerberos authentication.

To prevent "rotation", KerberosV5 uses timestamps in its protocol definition. For the timestamp to work properly, the clocks of the client and domain controllers should be synchronized as much as possible. In other words, the two computers should be set to the same time and date. Because the clocks of the two computers are often out of sync, administrators can use this policy to set the maximum difference between the client clock and the domain controller clock that KerberosV5 can accept. If the difference between the client clock and the domain controller clock is less than the maximum time difference specified in the policy, any timestamps used in the sessions of the two computers will be considered trusted.

This setting is not permanent. If you restart the computer after configuring the setting, the setting will be restored to the default value.

(3) enforce user login restrictions

This policy is used to set and determine whether the KerberosV5 key Distribution Center (KDC) validates each session ticket request based on the user rights of the user account. Verifying each session ticket request is optional because additional steps take time and may slow down the network access speed of the service.

(4) the maximum life span of user ticket renewal

This policy is used to set the period within which the user ticket grant ticket (TGT) can be renewed, in days.

(5) the maximum life of a user's ticket

This policy is used to set the maximum usage time, in hours, for a user ticket grant ticket (TGT). When the TGT expires, the user must request a new or "renew" existing user ticket.

Add: the failure of Kerberos renewal may be the reason for the failure of domain account delegation management. The renewal period of Kerberos is 10 hours, and the Kerberos subsystem needs to issue a request. If it occurs twice a week, there is no problem. If it occurs twice a day, it is recommended to install Hotfix, or continue the investigation.

The above is all the content of this article "configuration Analysis of Kerberos Policy". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.