Reputation: 11
What exactly does the setting "Enforce user logon restrictions" in Kerberos Policy do?
According to the Windows documentation:
The Enforce user logon restrictions policy setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account.
I enabled this setting and expected that, if I already had an active TGT (Ticket-Granting Ticket) and the account was then disabled or the password was expired, I would no longer be able to obtain a TS (Ticket for Service) with this TGT. However, I was still able to get a TS.
My client (from which I am sending requests) is a non-Windows client, if it matters.
Did I correctly understand this policy setting, and are my expectations reasonable? If this setting should work as I described, are there any reasons why it doesn’t work?
Upvotes: 1
Views: 45
Answers (0)
Related Questions
- Why does the golden ticket work without any user password hash?
- How to obtain a kerberos service ticket via GSS-API?
- Where does Kerberos TGT originated from? AS or TGS?
- How kerberos authentication works
- How to logon a user on a server and run a process given a Kerberos Ticket
- How does Kerberos handle multiple TGT request in the same node for the same service and for the same client?
- Java client hangs when kerberos ticket expires
- Can Kerberos service tickets be granted by the KDC (in Active Directory) also on the basis of user authorization?
- What happens when the kerberos ticket expires?
- Understanding the idiom "kerberos login" and "kerberos password"