Global Kerberos v5 Identity Settings

The global Kerberos v5 settings define default credential lifetimes and minimum and maximum values for use in constructing the slider controls used to set the lifetimes. 

There are two expiration times associated with Kerberos tickets.  The first specifies the length of the time period during which the tickets are valid for use.  The second specifies the length of the renewable lifetime.  Valid Kerberos tickets may have their valid use lifetime repeatedly extended up until the renewable lifetime expires.  The settings on this page are used to configure default lifetime values for NetIdMgr to use when requesting Kerberos tickets from the Kerberos server (key distribution center).  The Kerberos server may issue tickets with shorter lifetimes than were requested.

The Renewable, Forwardable, and Addressless options determine whether or not new identities default to obtaining Kerberos v5 tickets with these options.

When Forwardable tickets are received from the Kerberos Server, these tickets can be forwarded to a remote host when you connect via telnet, ssh, ftp, rlogin, or similar applications.  When tickets are forwarded, there is no need to obtain Kerberos tickets again to access Kerberized services on the remote host.   Forwardable tickets are often required when authenticating to a remote host using ssh or ftp when the remote host requires the ability to authenticate to a remote file system such as AFS.

When Renewable tickets are received from the Kerberos Server, the ticket lifetimes may be renewed without prompting the user for her password.  This allows Kerberos tickets to be issued with short lifetimes allowing compromised accounts to be disabled on short notice without requiring the user to enter a password every few hours.  When combined with Automatic Ticket Renewal, NetIdMgr can maintain valid tickets for a week, a month, or longer by automatically renewing tickets prior to their expiration.  The ability to renew tickets without a password is limited by the ticketís renewable lifetime as issued by the Kerberos Server.

When Addressless is selected, the tickets do not contain IP address information.  This enables the tickets to be used from behind Network Address Translators which are frequently found in Cable and DSL Modems.

The minimum and maximum ranges are used by the ticket initialization dialog box when constructing the Lifetime and Renewable Lifetime sliders.  These sliders can be used to modify the requested ticket lifetimes when Kerberos tickets are initialized.