Home » Active Directory » Kerberos ticket lifetime and renewal time

Kerberos ticket lifetime and renewal time

I have recently worked on a case where questions about increasing the Kerberos ticket lifetime came up. Long story short: There are security concerns about increasing the lifetime of Kerberos tickets. Details are below.

Background

These are the default/recommended values which are currently used:

  • Maximum lifetime for user ticket: 10 hours
  • Maximum lifetime for user ticket renewal: 7 days

Please note that “ticket renewal” value equals to “maximum cumulative ticket life”. It means that a ticket can be refreshed (a new session key is assigned) every 10 hours for 7 days. If it has been 7 days or more since the ticket was created, a new ticket has to be created even if the ticket is renewable. This is because the maximum cumulative ticket life is reached.

Kerberos ticket lifetime

Is Windows Authentication failing while using IBM Cognos? Check this post out: Windows Authentication is failing for IBM Cognos

Questions about Kerberos ticket lifetime

Can the lifetime be longer than the renewal time?

Technically, yes. Logically, the ticket lifetime should not be longer than ticket renewal time. Let’s say the lifetime is 8 days and the renewal time is 7 days. The ticket will be invalid after 7 days no matter what the lifetime value is. Renewal time is the maximum cumulative time a ticket can be extended for.

Any side effects if the lifetime is the same as renewal time?

It’s acceptable. However, it is better if the renewal time is longer than the lifetime. If they are the same:

  • If the value is small such as 1 day, it means the client should reauthenticate every day which makes the process inefficient
  • If the value is high such as 3-4 days, it means the client will stay authenticated for 3-4 days. There are security concerns around high ticket lifetimes:
    • If an account is disabled (let’s say the person leaves the company), the account can continue to use the application until the ticket is expired
    • If the ticket is compromised, the attacker will be able to penetrate the system until the ticket is expired

More Information:

If you receive HTTP 400 error while using Kerberos, check this post for the solution: HTTP 400 Bad Request (Request header too long)

Ned Sahin

Blogger for 20 years. Former Microsoft Engineer. Author of six books. I love creating helpful content and sharing with the world. Reach me out for any questions or feedback.

2 thoughts on “Kerberos ticket lifetime and renewal time”

  1. I have a question, please

    I have adjusted my Kerberos Policy (GPO) states to the following (before this is said 7 days)

    Maximum Lifetime for User Ticket Renewal = 1 day

    However, when I do a KLIST on the client the ticket says

    Renew Time: <seven days from now)

    Do you know why it still says 7 days and not 1 day, and if the GPO setting I am looking at is incorrect, where is the correct one?

    Thanks very much

    Reply

Leave a Comment