HiWe tried to use a postdated kerberos ticket on a w2k3r2 domain.(Forest/Domain Mode Windows Server 2003). For this attempt we used a Linux client which are integrated to the AD/Kerberosrealm. But we didn't get a postdated ticket with kinit. We thought that a postdated tickets should work with an AD-environmentWindows Server 2003 and above(but not with Windows 2000). But it won't.After setting on the kerberos logging feature of the DC/KDC we get thefollowing error: KDC-Error: KdcBuildTicketTimesAndFlags asked for allow_postdate but notallowed: KdcOptions 0x56000010, SourceTicketFlags 0x50800000,ServerPolicyFlags 0x7b 408.1004 It's unclear to us how we can change the kerberos policy to allowpostdated tickets. (We didn't delegate anything)Juergen

According to what I've been able to discover Windows Server 2003 should be able to support postdated tickets and it also appears that there should be a Group Policy setting for this. Like, I've not been able to locate the referenced GP setting. I'm checking with some folks I know at Microsoft and will update this thread when I get a response.Paul Adare CTO IdentIT Inc. ILM MVP

Hi Paul do you have any news?