HP UX Kerberos Data Security Software manual 147

Administration

Attributes Tab (Principal Information window)

Allow Duplicate Session Keys Attribute The Duplicate Session Key attribute specifies if a principal is allowed to use a duplicate session key. A duplicate session key. A duplicate session key is used in user-to-user authentication and specifies which key is used to encrypt the tickets.

Require Pre-authentication Attribute The Require Preauthentication attribute specifies if a principal is required to use preauthentication in the TGT request. Preauthentication means that additional known encrypted data is sent with the ticket request, providing additional security when the TGT is presented to gain access to a secured service.

The Require Preauthentication attribute applies to users and service principals. If this attribute is set for a user principal, the user is required to be running logon software that performs authentication using the preauthentication protocol. If this attribute is set for a service principal, service cannot accept TGT’s from a user principal if the user did not obtain a TGT using a preauthentication protocol.

Require Password Change Attribute The Require Password Change Attribute specifies that a principal must change its password during the next logon to the security server. The Require Password Change attribute applies to user principals.

When a new principals added to the database or when a principal’s password is changed, this attribute is controlled by the NoReqChangePwd setting in the Principal’s Password Policy file. By default, NoReqChangePwd is set to zero, meaning the user must change their password at the first logon.

Lock Principal Attribute The Lock Principal attribute specifies if a principal is active. A locked principal still exists in the principal database, but it is unable to use or provide Kerberized services.