Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4662: How to refresh an AD user account's Kerberos ticket automatically via group policy

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: Centrify DirectControl on all platforms

Question:

How to set Kerberos credentials to automatically renew via group policy?


Answer:

By default, an Active Directory user's Kerberos tickets are valid for 10 hours. If the Active Directory user stays logged in and their Kerberos credentials expire, then these credentials will not renew until the user logs into the machine again, or manually issues the "kinit" command in the Terminal while connected to a domain controller. 

To enable automatic renewal, enable the group policy located under:
  • Computer Configuration / DirectControl Settings / Kerberos Settings / "Renew credentials automatically"

This will allow the AD user's Kerberos tickets to automatically renew after they expire, even if the user is disconnected from a domain controller. This may be useful for users who work remotely. 
After 
enabling this parameter, Centrify Suite keeps a hash of the user’s password in its memory indefinitely. If the adclient is stopped or restarted either manually or by rebooting the system, the user’s password hash will be removed from memory and the user must be re-authenticated

By default, Kerberos credentials will be renewed every 8 hours unless a different renewal interval is set at the following location:
  • Computer Configuration / DirectControl Settings / Kerberos Settings / "Set credential renewal interval"

_________________________________________________________________________________________________________________________



The "Renew credentials automatically" and "Set credential renewal interval" values can also be set manually on a single machine by editing the Centrify DirectControl configuration file directly at /etc/centrifydc/centrifydc.conf and setting the following values:
  • krb5.cache.infinite.renewal: true
  • krb5.cache.renew.interval: 8

Note: After changing these values manually and saving the configuration file, run the following command to invoke the configuration update: sudo adreload


Read more about these group policies on pages 63-64 of the Centrify Group Policy Guide:
Related Articles:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.