Tag: Computer Configuration

This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. If you enable this policy setting revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. Warning: When revocation check is ignored the server represented by the certificate is not guaranteed valid. If you disable or do not configure this policy setting the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.

This policy setting configures the Kerberos client’s mapping to KDC proxy servers for domains based on their DNS suffix names. If you enable this policy setting the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain enable the policy setting click Show and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column type a DNS suffix name. In the Value column type the list of proxy servers using the appropriate syntax format. To view the list of mappings enable the policy setting and then click the Show button. To remove a mapping from the list click the mapping entry to be removed and then press the DELETE key. To edit a mapping remove the current entry from the list and add a new one with different parameters. If you disable or do not configure this policy setting the Kerberos client does not have KDC proxy servers settings defined by Group Policy.

This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. If you enable this policy setting you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high then authentication failures might be occurring even though warning events are not being logged. If set too low then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy “Set maximum Kerberos SSPI context token buffer size” or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure this policy setting the threshold value defaults to 12000 bytes which is the default Kerberos MaxTokenSize for Windows 7 Windows Server 2008 R2 and prior versions.

This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. If you disable or do not configure this policy setting the domain controller does not support claims compound authentication or armoring. If you configure the “Not supported” option the domain controller does not support claims compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems. Note: For the following options of this KDC policy to be effective the Kerberos Group Policy “Kerberos client support for claims compound authentication and Kerberos armoring” must be enabled on supported systems. If the Kerberos policy setting is not enabled Kerberos authentication messages will not use these features. If you configure “Supported” the domain controller supports claims compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring. Domain functional level requirementsFor the options “Always provide claims” and “Fail unarmored authentication requests” when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the “Supported” option is selected. When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring and: – If you set the “Always provide claims” option always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). – If you set the “Fail unarmored authentication requests” option rejects unarmored Kerberos messages. Warning: When “Fail unarmored authentication requests” is set then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller. To ensure this feature is effective deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is the “Supported” option is enabled). Impact on domain controller performance when this policy setting is enabled: – Secure Kerberos domain capability discovery is required resulting in additional message exchanges. – Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. – Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time but does not change the service ticket size.