Parameters in « Strategy Kerberos » not taken into account.

jivko jivko.mitev at free.fr
Thu Oct 30 08:44:08 EDT 2008 

Title: Parameters in « Strategy Kerberos » not taken into account.

Environment: Domain controller « Windows 2000 Server SP4 », client «
Windows XP SP2»
Particularities of the environment:
The server is the only controller AD in its VLAN. It was added in the
production domain, replicated, after detached and plugged into a
closed VLAN with suppression of the missing references.
The server is in the mode AD2000 native, but the domain was not
created from scratch, it was migrated from NT.
The VLAN contains the only post XP, member of the domain.

At the beginning the domain was under NT, it contained a certain
number of hosts NT (1PDC, and several BDC).
The domain was migrated to Windows 2000 like that:
migration of PDC NT to 2000, 2000 is so in the mixed mode, which means
that the server 2000 emulates a PDC NT
replacement of all the controllers NT by the controllers 2000,
installed from scratch
at the end, when there were no controllers NT into the domain,
reinstallation from scratch to 2000 of the ex-PDC from NT
when there is only machines 2000 installed from scratch, passing of
the AD on the mode 2000 « native »

So, the controllers are 100% 2000, but the structure AD comes from the
old domain NT.


Description:
We want to modify the max lifetime of the tickets tgt Kerberos. To do
this :
1) we modified the value of of the tgt max lifetime to 600 in «
Stratégie de sécurité du domaine / …/ Strategie Kerberos»

On the client post we do :
 2) klist purge
 3) access to the shared folder
 4) klist tgt
===========
C:\Program Files\Resource Kit>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: GOVARTAN
DomainName: AESN.FR♠
TargetDomainName: AESN.FR♠
AltTargetDomainName: AESN.FR♠
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 2:00:00
StartTime: 10/16/2008 18:04:54
EndTime: 10/17/2008 2:04:54
RenewUntil: 10/16/2008 19:04:54
TimeSkew: 1/1/1601 2:00:00
==========

The problem: The tgt max lifetime is 8h.
After reboot of the server: the same result.
The same modifications are taken into account on the host installed
with Windows 2000 from scratch.

Questions :
1) As the ticket max lifetime by default is 10h from where commes the
duration 8h ?

2) How to modify (force) the tgt max lifetime in our platform
configuration?

More information about the Kerberos mailing list