3.3.3 Initialization

Kerberos V5 specifies that all KDCs in a domain MUST have the same key, and the name of the service for the TGS is "krbtgt/domain-name" SPN ([RFC4120] section 6.2).

KILE implementations that use the LSAD for the configuration database load the KDC configuration from the Kerberos Policy Information ([MS-LSAD] section 3.1.1.1). The KDC calls the LsarQueryDomainInformationPolicy method ([MS-LSAD] section 3.1.4.4.7), and the InformationClass parameter is set to the value of PolicyDomainKerberosTicketInformation in order to retrieve the current values. The KDC configuration settings are set as follows:

• MaxRenewAge (section 3.3.1) to the value of the MaxRenewAge field.

• MaxClockSkew (section 3.3.1) to the value of the MaxClockSkew field.

• MaxServiceTicketAge (section 3.3.1) to the value of the MaxServiceTicketAge field.

• MaxTicketAge (section 3.3.1) to the value of the MaxTicketAge field.

• AuthenticationOptions (section 3.3.1) to the value of the AuthenticationOptions field.

Implementations of KILE KDCs which use Active Directory for the account database MUST use the krbtgt account in the Active Directory.

If the KDC has a ticket replay cache, it MUST be reset when the KDC starts up.

If the KDC has a ticket cache, the ticket cache MUST be initialized to an empty state.

If the KDC supports:<44>

• FAST: the KDC sets the FAST-supported bit on the krbtgt account’s KerbSupportedEncryptionTypes.

• Claims: the KDC sets the claims-supported bit (specified in section 2.2.7) on the krbtgt account’s KerbSupportedEncryptionTypes.