Parameters in « Strategy Kerberos » not taken into account.

Tom Yu tlyu at MIT.EDU
Fri Nov 14 14:35:59 EST 2008


jivko <jivko.mitev at free.fr> writes:

> Title: Parameters in « Strategy Kerberos » not taken into account.
>
> Environment: Domain controller « Windows 2000 Server SP4 », client «
> Windows XP SP2»
> Particularities of the environment:
> The server is the only controller AD in its VLAN. It was added in the
> production domain, replicated, after detached and plugged into a
> closed VLAN with suppression of the missing references.
> The server is in the mode AD2000 native, but the domain was not
> created from scratch, it was migrated from NT.
> The VLAN contains the only post XP, member of the domain.
>
> At the beginning the domain was under NT, it contained a certain
> number of hosts NT (1PDC, and several BDC).
> The domain was migrated to Windows 2000 like that:
> migration of PDC NT to 2000, 2000 is so in the mixed mode, which means
> that the server 2000 emulates a PDC NT
> replacement of all the controllers NT by the controllers 2000,
> installed from scratch
> at the end, when there were no controllers NT into the domain,
> reinstallation from scratch to 2000 of the ex-PDC from NT
> when there is only machines 2000 installed from scratch, passing of
> the AD on the mode 2000 « native »
>
> So, the controllers are 100% 2000, but the structure AD comes from the
> old domain NT.
>
>
> Description:
> We want to modify the max lifetime of the tickets tgt Kerberos. To do
> this :
> 1) we modified the value of of the tgt max lifetime to 600 in «
> Stratégie de sécurité du domaine / …/ Strategie Kerberos»

Because it is likely that most of the readers of this newsgroup / list
primarily speak English, you may get more useful responses if you
could quote the names of the settings that you mention above from an
English localization rather than from the French localization.

> On the client post we do :
>  2) klist purge
>  3) access to the shared folder
>  4) klist tgt
> ===========
> C:\Program Files\Resource Kit>klist tgt
>
> Cached TGT:
>
> ServiceName: krbtgt
> TargetName: krbtgt
> FullServiceName: GOVARTAN
> DomainName: AESN.FR♠
> TargetDomainName: AESN.FR♠
> AltTargetDomainName: AESN.FR♠
> TicketFlags: 0x40e00000
> KeyExpirationTime: 1/1/1601 2:00:00
> StartTime: 10/16/2008 18:04:54
> EndTime: 10/17/2008 2:04:54
> RenewUntil: 10/16/2008 19:04:54
> TimeSkew: 1/1/1601 2:00:00
> ==========
>
> The problem: The tgt max lifetime is 8h.
> After reboot of the server: the same result.
> The same modifications are taken into account on the host installed
> with Windows 2000 from scratch.
>
> Questions :
> 1) As the ticket max lifetime by default is 10h from where commes the
> duration 8h ?

I am not familiar with how AD configures its ticket lifetimes, but if
it is similar to how MIT krb5 determines ticket lifetime, it probably
uses the smallest lifetime value out the set containing the client
principal ticket lifetime, the service principal ticket lifetime and
the requested lifetime.

> 2) How to modify (force) the tgt max lifetime in our platform
> configuration?

Again, I am not very familiar with AD administration, but there may be
individual lifetime restrictions one each client principal, or more
global settings, that could affect ticket lifetime in the way you
wish.




More information about the Kerberos mailing list