WinSecWiki > Security Settings > Account Policies > Kerberos Policy > User Ticket

Maximum Lifetime For User Ticket

This is a domain level setting and only has effect on the domain policy in GPOs linked to the root of the domain. This setting has effect what so ever in GPOs linked to organizational units including the Domain Controllers OU. This setting has effect on workstations and member servers.

This setting should really be called Maximum Lifetime For Ticket Granting Tickets. This setting's name isn't really appropriate because in Kerberos there are only 2 types of tickets - TGTs and Service tickets - and users aren't the only ones that get TGTs.

Kerberos tickets have a limited lifetime for so that hopefullly the ticket expires before a bad guy has time to crack the the ticket. This policy as well as some other policies under Kerberos policies define how long a ticket is good for and how many times the ticket can be renewed. This setting specifically controls the lifetime of Ticket Granting Tickets (TGTs). With Kerberos your initial authentication to the domain controller results in a TGT which you then use to request Service Tickets to any computers you need to access. Each computer when it starts gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. Same goes for services that startup under a specified user account; you must always get a TGT first, then Service Tickets to all computers and services accessed.

This setting is defined in hours and defaults to 10 hours.

When a TGT expires Windows automatically tries to renew it which is limited by Maximum lifetime for user ticket renewal.

Back to top


Additional Resources