Contact info for Tech Philly
Home  •  Contact  •  Services  •  Support

            Tech Solutions

PC Upgrades Upgrades
Data Recovery Data Recovery
Computer Repair, Maintenance, and update Maintenance
Security From Viruses, Hackers, and Spyware Security
Network Solutions Networks
Website Search Engine Optimization Google Rank Increase Websites
Computer Repair Philadelphia Gateway Compaq Custom Systems

  • Location Service
  • 24/7 Help

Philadelphia Computer Tech Support
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

Kerberos Policy
Policy for Kerberos in Windows 2000 is set at the domain level. As a matter of fact, Microsoft uses the word
“domain” instead of “realm” when referring to Kerberos policy. Kerberos policy is stored within Active
Directory, and only members of the Domain Admins group are allowed to change the policy. Figure 3.10
shows the options available in the Kerberos policy for the domain. The default settings are the default for
Windows 2000 Server beta 3.
Figure 3.10 This is the default Kerberos Domain Policy.
The settings included in the Kerberos Domain Policy are:
• Enforce user logon restrictions
• Maximum lifetime that a user ticket can be renewed
• Maximum service ticket lifetime
• Maximum tolerance for synchronization of computer clocks
• Maximum user ticket lifetime
Enforce user logon restrictions is enabled by default and is used to validate every request for session tickets
by making sure that the client has the correct user rights for logging on the destination server. This setting
can be disabled; it takes extra time to perform and may slow down network performance.
The maximum lifetime that a ticket can be renewed setting is set in days. A reasonable setting is seven days
for this attribute.
The maximum service ticket lifetime is set in minutes. Do not let the term “service ticket” confuse you; it is
just the name Microsoft decided to use for session tickets. The setting for the lifetime of the service ticket
cannot be more than the time specified in the maximum user ticket lifetime or less than ten minutes. A
reasonable setting for this option is to make it the same as the maximum user ticket lifetime.
The maximum tolerance for synchronization of computer clocks setting determines how much difference in
the clocks is tolerated. This setting is in minutes, and five minutes is a reasonable setting.
The maximum user ticket lifetime is set in hours. Microsoft has decided to use the term “user ticket,” but in
Kerberos terms it is a TGT. A reasonable setting is 10 hours for this attribute.
It is easy to change an attribute by double-clicking the attribute and changing the setting, as shown in Figure
Figure 3.11 This is the way to change the setting for the maximum lifetime that a user ticket can be renewed
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

  Home Contact Data Recovery Search Engine Web Design/Hosting Networks

Serving the Philadelphia area with the best in tech service and support.

Tech Philly Custom Systems Data Recovery Emergency Service Maintenance Network Service Onsite Service Repair Security Software Spyware Upgrades Viruses Website Design Website Hosting Wireless Computer