Kerberos user ticket policy, How do Real Admin set it

[APOC9109]

I was told that the reason some of my users cannot access resources if they have benn logged on more than 8 hours may becuase my kerberos policy setting for "lifetime of a user ticket" is set for 8 hours. Is this true.
But then there is another policy for ticket renewal set to 7 days. this confuses me, they need to wait 7 days to renew??

If someone knowledgeable could help explain some common REAL setings of the policies i would be greatly apprecaitive. thanks

 

[PScottC]

Um... Real admins don't mess with those settings unless directed to do so by Microsoft. The settings that are in the Default Domain Policy GPO object are correct for 99.99% of organizations out there. I would say that you have some other issue going on like replication failures or problems with the Key Distribution Center (KDC) service on your domain controllers. Are you getting any error events in the logs of your domain controllers?

Workstations and users should automatically request new Kerberos tickets in a timely manner. Are the client systems unable to get new tickets?

Oh... and one other thing... Do you have logon hours restricted for your users?

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers