-
Título
Increase of the Kerberos ticket_lifetime in vas.conf is not being reflected in tickets. -
Descrição
How to increase the Kerberos ticket lifetime. Increasing the ticket lifetime in vas.conf is not being reflected in tickets. -
Causa
Authentication Services cannot be configured for ticket lifetimes that are longer then what is configured in the domain. -
Resolução
Whatever max ticket is applied to the machine, that's the lifetime we REQUEST. The amount we request needs to be less than or equal to the ALLOWED ticket lifetime, which is set at the domain level.
So, if the domain allows tickets up to 10 hours, and you apply a policy that says max ticket lifetime is 24 hours, you're going to get a 10 hour ticket. If the domain allows tickets up to 24 hours, but the max ticket lifetime policy says 10 hours, we'll request a 10 hour ticket and get a 10 hour ticket.From the vas.conf man page:
ticket_lifetime = <integer (seconds)>
Default value: 10h
This option controls the length of time that a ticket requested by a
user will be valid. Note that this only defines what the client asks
for, and this is ultimately decided by the server. Active Directory
has policies that control the maximum lifetime for tickets, so if
the client request is longer than what Active Directory allows, the
resulting ticket will only last for as long as Active Directory
allows. The following example shows how to configure the ticket
lifetime to be 24 hours.