You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime.
Open the Domain Security Policy snap-in.
In the left pane, expand Account Policies Kerberos Policy.
In the right pane, double-click on the setting you want to modify.
Enter the new value and click OK.
There are several Kerberos-related settings you can customize. In most environments, the default settings are sufficient, but the ones you can modify are listed in Table 14-1.
|
Setting |
Default value |
---|---|
Enforce user logon restrictions |
Enabled |
Maximum lifetime for service ticket |
600 minutes |
Maximum lifetime for user ticket |
10 hours |
Maximum lifetime for user ticket renewal |
7 days |
Maximum tolerance for computer clock synchronization |
5 minutes |
MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows 2000)