I have recently worked on a case where questions about increasing the Kerberos ticket lifetime came up. Long story short: There are security concerns about increasing the lifetime of Kerberos tickets. Details are below.
Background
These are the default/recommended values which are currently used:
- Maximum lifetime for user ticket: 10 hours
- Maximum lifetime for user ticket renewal: 7 days
Please note that “ticket renewal” value equals to “maximum cumulative ticket life”. It means that a ticket can be refreshed (a new session key is assigned) every 10 hours for 7 days. If it has been 7 days or more since the ticket was created, a new ticket has to be created even if the ticket is renewable. This is because the maximum cumulative ticket life is reached.
Is Windows Authentication failing while using IBM Cognos? Check this post out: Windows Authentication is failing for IBM Cognos
Questions about Kerberos ticket lifetime
Can the lifetime be longer than the renewal time?
Technically, yes. Logically, the ticket lifetime should not be longer than ticket renewal time. Let’s say the lifetime is 8 days and the renewal time is 7 days. The ticket will be invalid after 7 days no matter what the lifetime value is. Renewal time is the maximum cumulative time a ticket can be extended for.
Any side effects if the lifetime is the same as renewal time?
It’s acceptable. However, it is better if the renewal time is longer than the lifetime. If they are the same:
- If the value is small such as 1 day, it means the client should reauthenticate every day which makes the process inefficient
- If the value is high such as 3-4 days, it means the client will stay authenticated for 3-4 days. There are security concerns around high ticket lifetimes:
- If an account is disabled (let’s say the person leaves the company), the account can continue to use the application until the ticket is expired
- If the ticket is compromised, the attacker will be able to penetrate the system until the ticket is expired
More Information:
If you receive HTTP 400 error while using Kerberos, check this post for the solution: HTTP 400 Bad Request (Request header too long)
I have a question, please
I have adjusted my Kerberos Policy (GPO) states to the following (before this is said 7 days)
Maximum Lifetime for User Ticket Renewal = 1 day
However, when I do a KLIST on the client the ticket says
Renew Time: <seven days from now)
Do you know why it still says 7 days and not 1 day, and if the GPO setting I am looking at is incorrect, where is the correct one?
Thanks very much