Impact of decreasing Kerberos User Ticket Renewal Lifetime

In a Domain with mostly Windows 7 clients and Windows 2008 R + 2012 R2 servers, I'm interested in lowering the User TGT renewal lifetime policy setting from the default (7 days) to the lowest possible value (1 day).

The aim is to limit the timeframe in which a stolen Kerberos ticket can be reused without having the principal's password for authentication.

My impression is that Windows 7 will handle ticket renewal seamlessly, and in the event that a domain user has an interactive session running for more than 24 hours without supplying a password, the user will (at most) get the "Windows need your current credentials" popup balloon from the system tray when renewal lifetime is exceeded (just like when ticket validation fails due to password change).

Is this theory correct?

I just wan't to make sure that I cause as little disruption from a user perspective as possible.

April 24th, 2015 2:04pm

Renewable TGTs

When tickets are renewable, session keys are refreshed periodically without issuing a completely new ticket. If Kerberos policy permits renewable tickets, the KDC sets a RENEWABLE flag in every ticket it issues and sets two expiration times in the ticket. One expiration time limits the life of the current instance of the ticket; the second expiration time sets a limit on the cumulative lifetime of all instances of the ticket.

The expiration time for the current instance of the ticket is held in the End Time field. As with non-renewable tickets, the value in the End Time field equals the value in the Start Time field plus the value of the maximum ticket life specified by Kerberos policy. A client holding a renewable ticket must send itpresenting a fresh authenticator as wellto the KDC for renewal before the end time is reached. When the KDC receives a ticket for renewal, it checks the value of a second expiration time held in the Renew Till field. This value is set when the ticket is first issued. It equals the value in the tickets Start Time field plus the value of the maximum cumulative ticket life specified by Kerberos policy. When the KDC renews the ticket, it checks to determine if the renew-till time has not yet arrived. If it has not, the KDC issues a new instance of the ticket with a later end time and a new session key.

This means that administrators can set Kerberos policy so that tickets must be renewed at relatively short intervalsevery day, for example. When tickets are renewed, a new session key is issued, minimizing the value of a compromised key. Administrators can also set cumulative ticket life for a relatively long periodone week or one month, for example. At the end of that time, the ticket expires and is no longer valid forrenewal."

Source : https://social.technet.microsoft.com/Forums/windowsserver/en-US/e0c6a401-1609-47c9-8f1c-6437b98bef2a/how-does-kerberos-ticket-or-tgt-get-renewed-or-refreshed?forum=winserversecurity

Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 4:50pm

Hi,

How is it going? If you need further help regarding the question, please don't hesitate to let us know.

Best regards,

Frank Shen

April 27th, 2015 3:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics