Share via

Maximum lifetime for service ticket

Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy


Determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than ten minutes and less than or equal to the setting for Maximum lifetime for user ticket .

By default, this value is set to 600 minutes (10 hours) in the Default Domain Group Policy object (GPO).

Note Image Note

If a client presents an expired session ticket when requesting a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.