No announcement yet.

Kerberos Ticket Renewal Lifetime

  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerberos Ticket Renewal Lifetime

    I've got a fairly new 2003 Active Directory and recently I have had two independent reports of users not being able to get into a file server that they were able to one week before. After a log off and log on they have been ok.

    I believe this is due to the fact the users haven't logged off in a week and their Kerberos credentials expired. So I've checked domain policy and it seems that the policies are as follows:
    Maximum lifetime for service ticket           600 minutes
    Maximum lifetime for user ticket               10 hours
    Maximum lifetime for user ticket renewal   7 days
    The last one was of interest here so I just changed it to 60 days.
    Maximum lifetime for user ticket renewal   60 days
    I would like to ask what people's opinion's are on this, especially if there are any other veteran mcses out there, regarding the security implications of this change.

  • #2
    Re: Kerberos Ticket Renewal Lifetime

    The default and recommended setting is 7 days.

    Reducing the lifetime of tickets reduces the risk of having users credentials used by an attacker. But this increases authorisation overheads.

    Dependant upon the security policy you have. Personally I would suggest that it would be more secure to have your users log off or log them off within 48 hours or at the most 5 days. This would obviously reduce the risk of hijacking user details should the unthinkable occure.
    The Univurse is still winning!

    W2K AD, WSUS, RIS 2003. ISA also AVG Server
    ** If contributors help you, recognise them and give reputation points where appropriate **