*****************************************************************************
*****************************************************************************
Kerberos Configuration Keys
*****************************************************************************
*****************************************************************************
Registry entries that Kerberos is interested in:
The following are in HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
At boot, these registry entries are read and stored in globals. They are also
runtime configurable.
=============================================================================
Value "SkewTime" , Type REG_DWORD
Whatever it's set to will be the Skew time in minutes, default is KERB_DEFAULT_SKEWTIME minutes
#define KERB_DEFAULT_SKEWTIME 5
EXTERN TimeStamp KerbGlobalSkewTime;
This is the time difference that's tolerated between one machine and the
machine that you are trying to authenticate (dc/another wksta etc).
Units are in 10 ** 7 seconds. If this is a checked build, default in 2 hours.
=============================================================================
Value "LogLevel", Type REG_DWORD
If it's set to anything non-zero, all Kerberos errors will be logged in the
system event log. Default is KERB_DEFAULT_LOGLEVEL
#define KERB_DEFAULT_LOGLEVEL 0
KerbGlobalLoggingLevel saves this value.
=============================================================================
Value "MaxPacketSize" Type REG_DWORD
Whatever this is set to will be max size that we'll try udp with. If the
packet size is bigger than this value, we'll do tcp. Default is
KERB_MAX_DATAGRAM_SIZE bytes
#define KERB_MAX_DATAGRAM_SIZE 1500
KerbGlobalMaxDatagramSiz saves this value
=============================================================================
Value "StartupTime" Type REG_DWORD
In seconds. Wait for the specified number of seconds for the KDC to start
before giving up. Default is KERB_KDC_WAIT_TIME seconds.
#define KERB_KDC_WAIT_TIME 120
KerbGlobalKdcWaitTime saves this value.
=============================================================================
Value "KdcWaitTime" Type REG_DWORD
In seconds. Value passed to winsock as timeout for selecting a response from
a KDC. Default is KerbGlobalKdcCallTimeout seconds.
#define KERB_KDC_CALL_TIMEOUT 10
KerbGlobalKdcCallTimeout saves this value
=============================================================================
Value "KdcBackoffTime" Type REG_DWORD
In seconds. Value that is added to KerbGlobalKdcCallTimeout each successive
call to a KDC in case of a retry. Default is KERB_KDC_CALL_TIMEOUT_BACKOFF
seconds.
#define KERB_KDC_CALL_TIMEOUT_BACKOFF 10
KerbGlobalKdcCallBackoff saves this value.
=============================================================================
Value "KdcSendRetries" Type REG_DWORD
The number of retry attempts a client will make in order to contact a KDC.
Default is KERB_MAX_RETRIES
#define KERB_MAX_RETRIES 3
KerbGlobalKdcSendRetries saves this value
=============================================================================
Value "DefaultEncryptionType" Type REG_DWORD
The default encryption type for PreAuth. As of beta3, this was
KERB_ETYPE_RC4_HMAC_OLD
#ifndef DONT_SUPPORT_OLD_TYPES
KerbGlobalDefaultPreauthEtype = KERB_ETYPE_RC4_HMAC_OLD;
#else
KerbGlobalDefaultPreauthEtype = KERB_ETYPE_RC4_HMAC_NT;
#endif
KerbGlobalDefaultPreauthEtype saves this value
=============================================================================
Value "FarKdcTimeout" Type REG_DWORD
Time in minutes. This timeout is used to invalidate a dc that is in the dc
cache for the Kerberos clients for dc's that are not in the same site as the
client. Default is KERB_BINDING_FAR_DC_TIMEOUT minutes.
#define KERB_BINDING_FAR_DC_TIMEOUT 10
KerbGlobalFarKdcTimeout saves this value as a TimeStamp ( 10000000 * 60 * number of minutes).
=============================================================================
Value "NearKdcTimeout" Type REG_DWORD
Time in minutes. This timeout is used to invalidate a dc that is in the dc
cache for the Kerberos clients for dcs in the same site as the
client. Default is KERB_BINDING_NEAR_DC_TIMEOUT minutes.
#define KERB_BINDING_NEAR_DC_TIMEOUT 30
KerbGlobalNearKdcTimeout saves this value as a TimeStamp ( 10000000 * 60 * number of minutes).
=============================================================================
Value "StronglyEncryptDatagram" Type REG_BOOL
Flag decides whether we do 128 bit encryption for datagram. Default is
KERB_DEFAULT_USE_STRONG_ENC_DG
#define KERB_DEFAULT_USE_STRONG_ENC_DG FALSE
KerbGlobalUseStrongEncryptionForDatagram saves this value.
=============================================================================
Value "MaxReferralCount" type REG_DWORD
Is count of how many KDC referrals client will follow before giving up.
Default is KERB_MAX_REFERRAL_COUNT = 6
KerbGlobalMaxReferralCount saves this value
=============================================================================
Value "KerbDebugLevel" type REG_DWORD
Debug log levels used in DebugLog() macro. Default is DEB_ERROR for CHK builds
and 0 (no logging) for FRE builds. Possible values include:
#define DEB_ERROR 0x00000001
#define DEB_WARN 0x00000002
#define DEB_TRACE 0x00000004
#define DEB_TRACE_API 0x00000008
#define DEB_TRACE_CRED 0x00000010
#define DEB_TRACE_CTXT 0x00000020
#define DEB_TRACE_LSESS 0x00000040
#define DEB_TRACE_TCACHE 0x00000080
#define DEB_TRACE_LOGON 0x00000100
#define DEB_TRACE_KDC 0x00000200
#define DEB_TRACE_CTXT2 0x00000400
#define DEB_TRACE_TIME 0x00000800
#define DEB_TRACE_USER 0x00001000
#define DEB_TRACE_LEAKS 0x00002000
#define DEB_TRACE_SOCK 0x00004000
#define DEB_TRACE_SPN_CACHE 0x00008000
#define DEB_S4U_ERROR 0x00010000
#define DEB_TRACE_S4U 0x00020000
#define DEB_TRACE_BND_CACHE 0x00040000
#define DEB_TRACE_LOOPBACK 0x00080000
#define DEB_TRACE_TKT_RENEWAL 0x00100000
#define DEB_TRACE_U2U 0x00200000
#define DEB_TRACE_LOCKS 0x01000000
#define DEB_USE_LOG_FILE 0x02000000
These values are stored in KerbInfoLevel and KSuppInfoLevel (for common2 routines).
=============================================================================
Value "MaxTokenSize" type REG_DWORD
This sets the QCA value for maximum token size, and is used to allow QCA to
be modified to return a value large enough for tickets containing large numbers
of groups. It is recommended that this value remain less than 50k.
Default #define KERBEROS_MAX_TOKEN 12000
KerbGlobalMaxTokenSize stores this value.
=============================================================================
Value "SpnCacheTimeout" type REG_DWORD
Time in minutes. This timeout is used to determine the lifetime of the SPN cache
entries. Default is 15 minutes. On domain controllers, the default is to not cache SPNs.
Default is #define KERB_SPN_CACHE_TIMEOUT 15
KerbGlobalSpnCacheTimeout stores value as a TimeStamp ( 10000000 * 60 * number of minutes).
=============================================================================
Value "S4UCacheTimeout" type REG_DWORD
Time in minutes. This timeout is used to determine the lifetime of the S4U negative cache
entries, which are used to restrict how many S4UProxy requests hit the wire from a given
machine.
Default is #define KERB_S4U_CACHE_TIMEOUT 15
KerbGlobalS4UCacheTimeout stores value as a TimeStamp ( 10000000 * 60 * number of minutes).
=============================================================================
Value "S4UTicketLifetime" type REG_DWORD
Time in minutes. This timeout is used to determine the lifetime of tickets obtained by S4U
proxy requests.
Default is #define KERB_S4U_TICKET_LIFETIME 15
KerbGlobalS4UTicketLifetime stores value as a TimeStamp ( 10000000 * 60 * number of minutes).
=============================================================================
Value "RetryPdc" type REG_DWORD
0 or non-zero (FALSE, or TRUE). Determines if we'll attempt to contact the PDC
for password expired errors for AS_REQ.
Default is FALSE.
KerbGlobalRetryPdcstores value as a BOOLEAN
=============================================================================
Value "RequestOptions" type REG_DWORD
Determines if there are additional options that need to be emitted as KdcOptions
in TGS_REQ. Meant for future modifications of kdc options, and can be any
RFC1510 value.
Default is :
#define KERB_ADDITIONAL_KDC_OPTIONS (KERB_KDC_OPTIONS_name_canonicalize)
KerbGlobalKdcOptions stored as a ULONG.
=============================================================================
Value "ClientIpAddresses" type REG_DWORD
0 or non-zero (FALSE, or TRUE). Determines if we'll add in IP addresses in
AS_REQ, thus forcing the caddr field to contain IP addresses in all tickets.
Default is FALSE, due to DHCP / NAT issues.
#define KERB_DEFAULT_CLIENT_IP_ADDRESSES 0
KerbGlobalUseClientIpAddresses value as a BOOLEAN
=============================================================================
Value "TgtRenewalTime" type REG_DWORD
Time in seconds. Determines amount of time before a TGT expires when
kerberos will attempt to renew the ticket. Only applies to initial TGTs.
Default is #define KERB_DEFAULT_TGT_RENEWAL_TIME 600
KerbGlobalTgtRenewalTime stores value as a TimeStamp ( 10000000 * 60 * number of minutes).
=============================================================================
Value "AllowTgtSessionKey" type REG_DWORD
0 or non-zero (FALSE, or TRUE). Determines if we'll allow session keys to
be exported with initial, or cross realm TGTs.
Default is FALSE, due to security concerns.
KerbGlobalAllowTgtSessionKey stores value as a BOOLEAN
=============================================================================
*****************************************************************************
*****************************************************************************
KDC Configuration Keys
*****************************************************************************
*****************************************************************************
The following keys apply to the KDC only, and are located at:
HKLM\System\CurrentControlSet\Services\Kdc. The are runtime configurable.
=============================================================================
Value "KdcUseClientAddresses" type REG_DWORD
0 or non-zero (FALSE, or TRUE). Determines if we'll add in IP addresses in
TGS_REP.
Default is FALSE, due to DHCP / NAT issues.
KdcUseClientAddresses stores value as a BOOLEAN.
=============================================================================
Value "KdcDontCheckAddresses" type REG_DWORD
0 or non-zero (FALSE, or TRUE). Determines if we'll check IP addresses for
TGS_REQ vs. what's in the TGT caddr field.
Default is TRUE, meaning we won't check IP addresses, due to DHCP and NAT issues.
KdcDontCheckAddresses stores value as a BOOLEAN.
=============================================================================
Value "NewConnectionTimeout" type REG_DWORD
Time in seconds. Determines how long after an initial TCP endpoint connection
that we'll keep listening for data before disconnecting.
Default is 50 seconds.
KdcExistingConnectionTimeout stores value as a ULONG.
=============================================================================
Value "MaxDatagramReplySize" type REG_DWORD
Size in bytes. Determines the upper threshold of UDP packet size in TGS_REP
and AS_REP, before the KDC will return a KRB_ERR_RESPONSE_TOO_BIG requiring
the client to switch to TCP.
Default is #define KERB_MAX_DATAGRAM_REPLY_SIZE 4000
KdcGlobalMaxDatagramReplySize stores value as a ULONG.
=============================================================================
Value "KdcExtraLogLevel" type REG_DWORD
ULONG flag used to determine extra KDC logging in event logs and audits.
Values are:
#define LOG_SPN_UNKNOWN 0x1 - audit SPN unknown errors
#define LOG_PKI_ERRORS 0x2 - log detailed PKINIT errors
#define LOG_ALL_KLIN 0x4 - log all KDC errors with KLIN information.
Default is #define LOG_DEFAULT LOG_PKI_ERRORS
KdcExtraLogLevel stores value as a ULONG.
=============================================================================
Value "KdcDebugLevel" type REG_DWORD
ULONG flag used to determine level of debug spew in DebugLog() macros. Available
in both FRE and CHK builds.
Values are:
#define DEB_ERROR 0x00000001
#define DEB_WARN 0x00000002
#define DEB_TRACE 0x00000004
#define DEB_TRACE_API 0x00000008
#define DEB_TRACE_CRED 0x00000010
#define DEB_TRACE_CTXT 0x00000020
#define DEB_TRACE_LSESS 0x00000040
#define DEB_TRACE_TCACHE 0x00000080
#define DEB_TRACE_LOGON 0x00000100
#define DEB_TRACE_KDC 0x00000200
#define DEB_TRACE_CTXT2 0x00000400
#define DEB_TRACE_TIME 0x00000800
#define DEB_TRACE_USER 0x00001000
#define DEB_TRACE_LEAKS 0x00002000
#define DEB_TRACE_SOCK 0x00004000
#define DEB_TRACE_SPN_CACHE 0x00008000
#define DEB_S4U_ERROR 0x00010000
#define DEB_TRACE_S4U 0x00020000
#define DEB_TRACE_BND_CACHE 0x00040000
#define DEB_TRACE_LOOPBACK 0x00080000
#define DEB_TRACE_TKT_RENEWAL 0x00100000
#define DEB_TRACE_U2U 0x00200000
#define DEB_TRACE_LOCKS 0x01000000
#define DEB_USE_LOG_FILE 0x02000000
Default is DEB_ERROR for CHK builds, and 0 (no logging) for FRE builds.
Additionally, the value:
#define DEB_USE_EXT_ERRORS 0x10000000
will cause the klin macros and extended information to be returned in the
edata field of KERB_ERRORS as PKERB_EXT_ERROR.
KdcInfoLevel and KSuppinfolevel stores value as a ULONG. KSuppInfolevel
determines logging for common2 library.
=============================================================================
