How do I configure Kerberos?

Kerberos is configured entirely within Active Directory (AD) and is a part of the Default Domain Policy Group Policy object in every domain. As an administrator, you can modify several Kerberos' key configuration settings.

In general, you shouldn't need to modify the default Kerberos configuration settings. Microsoft came up with the default settings based on a typical work environment, and it's rare for them to be unsuitable or wrong. Be sure that you understand exactly what each setting does and how it impacts your domain before making any changes.

To modify the Kerberos policies for a domain, follow these steps:

  1. Open Active Directory Users and Computers. 2. Right-click the domain, and select Properties.
  2. Select the Group Policy tab.
  3. Select Default Domain Policy from the list, and click Edit.
  4. Locate the Kerberos settings, shown in Figure 11.1.
  5. Modify the settings as appropriate.
  6. Close the Group Policy Object Editor.
  7. Close the Properties dialog box.

Figure 11.1: Kerberos policies in the Default Domain Policy Group Policy object.

The screen shots that follow and the default setting values are from Windows Server 2003—the steps are identical in Windows 2000 (Win2K) domains.

Your changes will be replicated throughout the domain.

Kerberos Settings

Windows contains only five Kerberos settings:

  • Enforce user logon restrictions—Enabled by default, this setting determines whether the Key Distribution Center (KDC) validates every request for a session ticket against the user's rights. Enabling this policy provides better security because changes to user rights will be effective for the user's next ticket request. However, the validation step does require a bit of extra processing on the part of the KDC.
  • Maximum lifetime for service ticket—Service tickets are those requested by Windows background services to act on behalf of a user. The default 600-minute lifetime is generally sufficient and prevents a service from being able to impersonate a user for an unreasonably long period of time. Shortening this value places increased load on domain controllers, as services will have to contact domain controllers more frequently to obtain new tickets.
  • Maximum lifetime for user ticket—User tickets are those requested by users to access resources. The default setting, 10 hours, covers a typical workday and allows a user to utilize tickets for the entire day. Lengthening this value might overexpose the ticket and leave it more vulnerable to compromise; shortening this value might place an undue burden on domain controllers.
  • Maximum lifetime for user ticket renewal—When a ticket's maximum lifetime expires, a client computer can renew the ticket. Renewals don't require a new session key, thereby saving a bit of processing on the KDC. The default setting for this value is 7 days, ensuring that ticket session keys don't last longer than a week.
  • Maximum tolerance for computer clock synchronization—This value defaults to 5 minutes, meaning a client computer's clock can as many as 5 minutes ahead or behind the KDC's own clock. The default value should be fine for most environments. Lengthening this value could give intruders extra time to attempt to compromise a ticket request captured from the network; if your environment has network latencies or time sync problems that seem to necessitate lengthening this setting, you are better off correcting those time or latency problems than compromising Kerberos security.