Administration
Attributes Tab (Principal Information window)
The Lock Principal attribute applies to both user and service principals. If this attribute is set for a user principals. If this attribute is set for a user principal, no tickets can be issued to the user. If this attribute is set for a service principal, no tickets are issues for it.
The Lock attribute becomes set when a principal exceeds the maximum number of failed authentication attempts allowable by the password policy file. The default maximum level allowed for failed authentication attempts is five (5). If a principal is locked, an administrative user must unlock the principal before the user can authenticate again.
Allow As Service Attribute The Allow As Service attribute specifies whether a Principal is allowed to act as a service. Set this attribute to allow a principal to act as a service (that is, the principal’s name is in the server field of the service ticket). This attribute should be selected for any principal that is used as a service principal.
The Allow As Service Attribute can be applied to all principals, not just principals that act solely as service principals. The attribute is selected by default.
NOTE | User principals need to have this attribute set when |
| using |
|
|
Require Initial Authentication Attribute The Require Initial Authenticaton attribute specifies whether the server is allowed to issue service to the service principal on behalf of a user principal using a previously obtained TGT.
If this attribute is set for the service principal, a user principal is required to go through initial authentication, i.e., required to authenticate to the server again, to obtain a ticket for that service. For example, the Change Password service requires that a principal enter a password to receive a ticket for the
148 | Chapter 6 |