14.19.1 Problem You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime. 14.19.2 Solution 14.19.2.1 Using a graphical user interface Open the Domain Security Policy snap-in. In the left pane, expand Account Policies Kerberos Policy. In the right pane, double-click on the setting you want to modify. Enter the new value and click OK.
14.19.3 Discussion There are several Kerberos-related settings you can customize. In most environments, the default settings are sufficient, but the ones you can modify are listed in Table 14-1. | Change the default settings with caution as it could cause operational problems and compromise security if done incorrectly. |
|
Table 14-1. Kerberos policy settings| Setting | Default value |
|---|
| Enforce user logon restrictions | Enabled | | Maximum lifetime for service ticket | 600 minutes | | Maximum lifetime for user ticket | 10 hours | | Maximum lifetime for user ticket renewal | 7 days | | Maximum tolerance for computer clock synchronization | 5 minutes |
14.19.4 See Also MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows 2000) |