Skip to main content

8.2. Recommended KDC Values

Overview

This section provides recommendations for various KDC operational parameters to promote interoperability and reasonable default behavior.

Ticket Lifetimes

Default Ticket Lifetime

Recommended: 10-12 hours
Balances security and usability
Should be configurable per policy

Maximum Ticket Lifetime

Recommended: 1 day
Limits exposure of compromised tickets
Should be adjustable based on risk assessment

Renewable Ticket Lifetime

Recommended: 1 week
Allows long-running processes without credential storage
Balances convenience and security

Clock Skew Tolerance

Recommended Value

5 minutes (300 seconds)
Accommodates minor clock synchronization issues
Should not be too large (replay window)
Must be configurable

Encryption and Checksum

Algorithm Support

Support modern encryption algorithms
Deprecate weak algorithms
Follow current cryptographic best practices
See RFC 3961, 3962, 4120 for specifics

Pre-Authentication

Recommended Policies

Require pre-authentication for user principals
Prevents offline dictionary attacks
PA-ENC-TIMESTAMP widely supported
Consider additional pre-auth mechanisms

Address Restrictions

Modern Considerations

Address restrictions less useful with NAT/proxies
Consider addressless tickets as default
Policy should be configurable
Balance security needs vs. deployment reality

Cross-Realm

Configuration

Document trust relationships clearly
Establish appropriate transited policies
Consider hierarchical realm organization
Implement transit verification appropriately

Reference

For complete recommendations, refer to RFC 4120 Section 8.2.

Overview
Ticket Lifetimes
Clock Skew Tolerance
- Recommended Value
Encryption and Checksum
- Algorithm Support
Pre-Authentication
- Recommended Policies
Address Restrictions
- Modern Considerations
Cross-Realm
- Configuration
Reference