Recipe 14.19 Modifying Kerberos Settings

14.19.1 Problem

You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime.

14.19.2 Solution Using a graphical user interface
  1. Open the Domain Security Policy snap-in.

  2. In the left pane, expand Account Policies Kerberos Policy.

  3. In the right pane, double-click on the setting you want to modify.

  4. Enter the new value and click OK.

14.19.3 Discussion

There are several Kerberos-related settings you can customize. In most environments, the default settings are sufficient, but the ones you can modify are listed in Table 14-1.

Change the default settings with caution as it could cause operational problems and compromise security if done incorrectly.

Table 14-1. Kerberos policy settings


Default value

Enforce user logon restrictions


Maximum lifetime for service ticket

600 minutes

Maximum lifetime for user ticket

10 hours

Maximum lifetime for user ticket renewal

7 days

Maximum tolerance for computer clock synchronization

5 minutes

14.19.4 See Also

MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows 2000)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List