WinSecWiki > Security Settings > Account Policies > Kerberos Policy > Ticket Renewal

Maximum Lifetime For User Ticket Renewal

This is a domain level setting and only has effect on the domain policy in GPOs linked to the root of the domain. This setting has effect what so ever in GPOs linked to organizational units including the Domain Controllers OU. This setting has effect on workstations and member servers.

This setting should really be called Maximum Lifetime For Ticket Granting Ticket Renewal. This setting's name isn't really appropriate because in Kerberos there are only 2 types of tickets - TGTs and Service tickets - and users aren't the only ones that get TGTs.

Kerberos tickets have a limited lifetime for so that hopefullly the ticket expires before a bad guy has time to crack the the ticket. This policy as well as some other policies under Kerberos policies define how long a ticket is good for and how many times the ticket can be renewed. This setting specifically controls the how long Ticket Granting Tickets (TGTs) can be renewed. With Kerberos your initial authentication to the domain controller results in a TGT which you then use to request Service Tickets to any computers you need to access. Each computer when it starts gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. Same goes for services that startup under a specified user account; you must always get a TGT first, then Service Tickets to all computers and services accessed.

This setting is defined in days and defaults to 7.

Back to top


Additional Resources