Kerberos SettingsConfiguration settings for the Kerberos authentication protocol.KerberosUse forest search orderThis policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.Define host name-to-Kerberos realm mappingsThis policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.
If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted.
If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist.Define interoperable Kerberos V5 realm settingsThis policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting.
If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted.
If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist.Require strict KDC validationThis policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
Require strict target SPN match on remote procedure calls This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN.
If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate.
If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN.Specify KDC proxy servers for Kerberos clientsThis policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names.
If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy.
Disable revocation checking for the SSL certificate of KDC proxy serversThis policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.
If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections.
Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid.
If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
Fail authentication requests when Kerberos armoring is not availableThis policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
Support compound authenticationThis policy setting controls configuring the device's Active Directory account for compound authentication.
Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.
If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options:
Never: Compound authentication is never provided for this computer account.
Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control.
Always: Compound authentication is always provided for this computer account.
If you disable this policy setting, Never will be used.
If you do not configure this policy setting, Automatic will be used.
NeverAutomaticAlwaysSet maximum Kerberos SSPI context token buffer sizeThis policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
Kerberos client support for claims, compound authentication and Kerberos armoringThis policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
Always send compound authentication firstThis policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity.
Note: For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain.
If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request.
If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.
Define host name-to-realm mappings:Syntax:Enter the Kerberos realm name as the Value Name.Enter the host names and DNS suffixes, that you want tomap to the Kerberos realm, as the Value. To add multiplenames, separate entries with ";".Note: To specify a DNS suffix prepend the entry with a '.' period.For a host name entry do not specify a leading '.' period.Example:Value Name: MICROSOFT.COMValue: .microsoft.com; .ms.com; computer1.fabrikam.com;In the example above. All principals with either the DNS suffixof *.microsoft.com or *.ms.com will be mapped to theMICROSOFT.COM Kerberos realm. In addition the host namecomputer1.fabrikam.com will also be mapped to the MICROSOFT.COM Kerberos realm.Define interoperable Kerberos V5 realm settings:Syntax:Enter the interoperable Kerberos V5 realm name as the Value Name.Enter the realm flags and the host names of the KDCs asthe Value. Enclose the realm flags with the followingtags <f> </f>. Enclose the list of KDCs with the tags <k> </k>To add multiple KDC names, separate entries witha semi-colon ";".Example:Value Name: TEST.COMValue: <f>0x00000004</f><k>kdc1.test.com; kdc2.test.com</k>Another Example:Value Name: REALM.FABRIKAM.COMValue: <f>0x0000000E</f>Mode:Syntax:Enter the list of forests to be searched when this policy is enabled.Use the Fully Qualified Domain Name (FQDN) naming format.Separate multiple search entries with a semi-colon ";".Details:The current forest need not be listed because Forest Search Order uses the global catalog first then searches in the order listed.You do not need to separately list all the domains in the forest.If a trusting forest is listed, all the domains in that forest will be searched.For best performance, list the forests in probability of success order. Define KDC proxy servers settings:Syntax:Enter the DNS suffix name as the Value Name.DNS suffix name allows three formats with decreasing preference order:Full Match: host.contoso.comSuffix Match: .contoso.comDefault Match: *Enter the proxy server names as the Value.The proxy server names must be enclosed with tags <https />To add multiple proxy server names, separate entries with a space or comma ","Example:Value Name: .contoso.comValue: <https proxy1.contoso.com proxy2.contoso.com />Another Example:Value Name: *Value: <https proxy.contoso.com />Support authorization with client device information:Maximum size