WinSecWiki > Security Settings > Account Policies > Kerberos Policy > Service Ticket

Maximum Lifetime For Service Ticket

This is a domain level setting and only has effect on the domain policy in GPOs linked to the root of the domain. This setting has effect what so ever in GPOs linked to organizational units including the Domain Controllers OU. This setting has effect on workstations and member servers.

Kerberos tickets have a limited lifetime for so that hopefullly the ticket expires before a bad guy has time to crack the session key encrypting the ticket. This policy as well as some other policies under Kerberos policies define how long a ticket is good for and how many times the ticket can be renewed.

This setting is defined minutes and defaults to 600 minutes (10 hours). It can range between greater than ten minutes and less than or equal to whatever is configured for Maximum lifetime for user ticket.

Effect on domain controller security logs

You may find that your domain controller recording frequent occurrences of event ID 677/4769 (Service Ticket Request Failed) with failure code 0x20. The failure code 0x20 is directly related to Maximum lifetime for user ticket and this policy. Increasing these thresholds should result in fewer 677 events, but the events still occur.

Bottom line

Leave this policy alone unless you need to increase it in order to reduce load on domain controllers or reduce security events logged due to ticket expiration.

Back to top


Additional Resources