windows-nt/Source/XPSP1/NT/ds/security/protocols/kerberos/readme.txt

88 lines
4.5 KiB
Plaintext
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
If you make a change, please add when this change was checked in, what build number etc.
Registry entries that Kerberos is interested in:
The following are in HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
At boot, theese registry entries are read and stored in globals
=============================================================================
Value "SkewTime" , Type REG_DWORD
Whatever it's set to will be the Skew time in minutes, default is KERB_DEFAULT_SKEWTIME minutes
#define KERB_DEFAULT_SKEWTIME 5
EXTERN TimeStamp KerbGlobalSkewTime;
This is the time difference that's tolerated between one machine and the
machine that you are trying to authenticate (dc/another wksta etc).
Units are in 10 ** 7 seconds. If this is a checked build, default in 2 hours.
=============================================================================
Value "LogLevel", Type REG_DWORD
If it's set to anything non-zero, all Kerberos errors will be logged in the
system event log. Default is KERB_DEFAULT_LOGLEVEL
#define KERB_DEFAULT_LOGLEVEL 0
KerbGlobalLoggingLevel saves this value.
=============================================================================
Value "MaxPacketSize" Type REG_DWORD
Whatever this is set to will be max size that we'll try udp with. If the
packet size is bigger than this value, we'll do tcp. Default is
KERB_MAX_DATAGRAM_SIZE bytes
#define KERB_MAX_DATAGRAM_SIZE 2000
KerbGlobalMaxDatagramSiz saves this value
=============================================================================
Value "StartupTime" Type REG_DWORD
In seconds. Wait for the specified number of seconds for the KDC to start
before giving up. Default is KERB_KDC_WAIT_TIME seconds.
#define KERB_KDC_WAIT_TIME 120
KerbGlobalKdcWaitTime saves this value.
=============================================================================
Value "KdcWaitTime" Type REG_DWORD
In seconds. Value passed to winsock as timeout for selecting a response from
a KDC. Default is KerbGlobalKdcCallTimeout seconds.
#define KERB_KDC_CALL_TIMEOUT 10
KerbGlobalKdcCallTimeout saves this value
=============================================================================
Value "KdcBackoffTime" Type REG_DWORD
In seconds. Value that is added to KerbGlobalKdcCallTimeout each successive
call to a KDC in case of a retry. Default is KERB_KDC_CALL_TIMEOUT_BACKOFF
seconds.
#define KERB_KDC_CALL_TIMEOUT_BACKOFF 10
KerbGlobalKdcCallBackoff saves this value.
=============================================================================
Value "KdcSendRetries" Type REG_DWORD
The number of retry attempts a client will make in order to contact a KDC.
Default is KERB_MAX_RETRIES
#define KERB_MAX_RETRIES 3
KerbGlobalKdcSendRetries saves this value
=============================================================================
Value "DefaultEncryptionType" Type REG_DWORD
The default encryption type for PreAuth. As of beta3, this was
KERB_ETYPE_RC4_HMAC_OLD
#ifndef DONT_SUPPORT_OLD_TYPES
KerbGlobalDefaultPreauthEtype = KERB_ETYPE_RC4_HMAC_OLD;
#else
KerbGlobalDefaultPreauthEtype = KERB_ETYPE_RC4_HMAC_NT;
#endif
KerbGlobalDefaultPreauthEtype saves this value
=============================================================================
Value "UseSidCache" Type REG_BOOL
Flag decides whether we use Sids instead of names. Sid lookups are faster
for SAM at the server end. Default is KERB_DEFAULT_USE_SIDCACHE
#define KERB_DEFAULT_USE_SIDCACHE FALSE
KerbGlobalUseSidCache saves this value
=============================================================================
Value "FarKdcTimeout" Type REG_DWORD
Time in minutes. This timeout is used to invalidate a dc that is in the dc
cache for the Kerberos clients for dc's that are not in the same site as the
client. Default is KERB_BINDING_FAR_DC_TIMEOUT minutes.
#define KERB_BINDING_FAR_DC_TIMEOUT 10
KerbGlobalFarKdcTimeout saves this value as a TimeStamp ( 10000000 * 60 * number of minutes).
=============================================================================
Value "StronglyEncryptDatagram" Type REG_BOOL
Flag decides whether we do 128 bit encryption for datagram. Default is
KERB_DEFAULT_USE_STRONG_ENC_DG
#define KERB_DEFAULT_USE_STRONG_ENC_DG FALSE
KerbGlobalUseStrongEncryptionForDatagram saves this value.
=============================================================================
Value "MaxReferralCount" type REG_DWORD
Is count of how many KDC referrals client will follow before giving up.
Default is KERB_MAX_REFERRAL_COUNT = 6
KerbGlobalMaxReferralCount saves this value