3.3.5.7.1 Check Account Policy for Every Session Ticket Request

  • Article

Kerberos V5 does not enforce revocation of accounts prior to the expiration of issued tickets.

If the POLICY_KERBEROS_VALIDATE_CLIENT bit is set in the AuthenticationOptions (section 3.3.1) setting on the KDC, then KILE will enforce revocation on the account KDCs. When this property is set on the account KDC for the client's domain, and the TGT is older than an implementation-specific time<68>, the account KDC MUST verify that the account is still in good standing. Good standing means the account has not expired, been locked out, been disabled, or otherwise is not allowed to log on. If the KDC receiving the session ticket request is not in the user account’s domain, then the check cannot be made.

  • If Disabled is TRUE, then the KDC MUST return KDC_ERR_CLIENT_REVOKED.

  • If Expired is TRUE, then the KDC MUST return KDC_ERR_CLIENT_REVOKED.

  • If Locked is TRUE, then the KDC MUST return KDC_ERR_CLIENT_REVOKED.

  • If current time is not within the LogonHours, then the KDC MUST return KDC_ERR_CLIENT_REVOKED.