3.3.4.1 KDC Configuration Changes

If an implementation supports multiple KDCs for a realm, then it needs a mechanism for keeping the KDC configuration database consistent across all the KDCs. KDC configuration change details are determined by the implementation.

When KILE implementations that use the LSAD for the configuration database receive a KDC ConfigurationChange event, the KDC SHOULD call the LsarQueryDomainInformationPolicy method ([MS-LSAD] section 3.1.4.4.7). The InformationClass parameter SHOULD be set to the value of PolicyDomainKerberosTicketInformation in order to retrieve the current values. The KDC configuration settings are set as follows:

• MaxRenewAge (section 3.3.1) to the value of the MaxRenewAge field.

• MaxClockSkew (section 3.3.1) to the value of the MaxClockSkew field.

• MaxServiceTicketAge (section 3.3.1) to the value of the MaxServiceTicketAge field.

• MaxTicketAge (section 3.3.1) to the value of the MaxTicketAge field.

• AuthenticationOptions (section 3.3.1) to the value of the AuthenticationOptions field.