Kerberos Policy

Kerberos policy is defined at the domain level and is implemented by the domain's KDC. Kerberos policy is stored in Active Directory as a subset of the attributes of domain security policy. By default, policy options can be set only by members of the Domain Admins group. The policy includes these options:

Enforce user logon restrictions    When this option is enabled, the KDC validates every request for a session ticket by examining user rights policy on the destination computer to verify that the user has the right to either Log on locally or Access this computer from network . Verification is optional because the extra step takes time and might slow network access to services. The default is enabled.

Maximum lifetime for service ticket.    A service ticket is a session ticket. Settings are in minutes. The setting must be greater than ten minutes and less than the setting for Maximum user ticket lifetime . The default is ten hours.

Maximum lifetime for user ticket    A user ticket is a TGT. Settings are in hours. The default setting is ten hours.

Maximum lifetime for user ticket renewal    Settings are in days. The default setting is seven days.

Maximum tolerance for computer clock synchronization    Settings are in minutes. The default is five minutes.