Administering the Kerberos Server
Attributes Tab (Principal Information Window)
Table | Attributes Tab Components (Continued) | |
|
|
|
| Components | Description |
|
|
|
| Require | Specifies if a principal is required to use |
| Preauthentication | preauthentication in the TGT request. |
|
| Preauthentication means that additional |
|
| known encrypted data is sent with the |
|
| ticket request, providing additional security |
|
| when the TGT is presented to gain access to |
|
| a secured service. |
|
| The Require Preauthentication attribute |
|
| applies to user and service principals. If this |
|
| attribute is set for a user principal, the user |
|
| is required run the logon software that |
|
| performs authentication using the |
|
| preauthentication protocol. If this attribute |
|
| is set for a service principal, the service |
|
| cannot accept TGTs from a user principal if |
|
| the user did not obtain a TGT using a |
|
| preauthentication protocol. |
|
|
|
| Require Password | Specifies that a principal must change its |
| Change | password during the next logon to the |
|
| Kerberos server. The Require Password |
|
| Change attribute applies to user principals. |
|
| When new principals are added to the |
|
| database or when the password of the |
|
| principal is changed, this attribute is |
|
| controlled by the NoReqChangePwd setting |
|
| in the password policy file of the principal. |
|
| By default, NoReqChangePwd is set to 0 |
|
| (zero), meaning that users must change |
|
| their passwords during first logon. |
|
|
|
172 | Chapter 8 |