archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/protocols/kerberos/readme.txt

325 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. *****************************************************************************
  2. *****************************************************************************
  4. Kerberos Configuration Keys
  6. *****************************************************************************
  7. *****************************************************************************
  9. Registry entries that Kerberos is interested in:
  11. The following are in HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  12. At boot, these registry entries are read and stored in globals. They are also
  13. runtime configurable.
  15. =============================================================================
  16. Value "SkewTime" , Type REG_DWORD
  17. Whatever it's set to will be the Skew time in minutes, default is KERB_DEFAULT_SKEWTIME minutes
  18. #define KERB_DEFAULT_SKEWTIME 5
  19. EXTERN TimeStamp KerbGlobalSkewTime;
  20. This is the time difference that's tolerated between one machine and the
  21. machine that you are trying to authenticate (dc/another wksta etc).
  22. Units are in 10 ** 7 seconds. If this is a checked build, default in 2 hours.
  23. =============================================================================
  24. Value "LogLevel", Type REG_DWORD
  25. If it's set to anything non-zero, all Kerberos errors will be logged in the
  26. system event log. Default is KERB_DEFAULT_LOGLEVEL
  27. #define KERB_DEFAULT_LOGLEVEL 0
  28. KerbGlobalLoggingLevel saves this value.
  29. =============================================================================
  30. Value "MaxPacketSize" Type REG_DWORD
  31. Whatever this is set to will be max size that we'll try udp with. If the
  32. packet size is bigger than this value, we'll do tcp. Default is
  33. KERB_MAX_DATAGRAM_SIZE bytes
  34. #define KERB_MAX_DATAGRAM_SIZE 1500
  35. KerbGlobalMaxDatagramSiz saves this value
  36. =============================================================================
  37. Value "StartupTime" Type REG_DWORD
  38. In seconds. Wait for the specified number of seconds for the KDC to start
  39. before giving up. Default is KERB_KDC_WAIT_TIME seconds.
  40. #define KERB_KDC_WAIT_TIME 120
  41. KerbGlobalKdcWaitTime saves this value.
  42. =============================================================================
  43. Value "KdcWaitTime" Type REG_DWORD
  44. In seconds. Value passed to winsock as timeout for selecting a response from
  45. a KDC. Default is KerbGlobalKdcCallTimeout seconds.
  46. #define KERB_KDC_CALL_TIMEOUT 10
  47. KerbGlobalKdcCallTimeout saves this value
  48. =============================================================================
  49. Value "KdcBackoffTime" Type REG_DWORD
  50. In seconds. Value that is added to KerbGlobalKdcCallTimeout each successive
  51. call to a KDC in case of a retry. Default is KERB_KDC_CALL_TIMEOUT_BACKOFF
  52. seconds.
  53. #define KERB_KDC_CALL_TIMEOUT_BACKOFF 10
  54. KerbGlobalKdcCallBackoff saves this value.
  55. =============================================================================
  56. Value "KdcSendRetries" Type REG_DWORD
  57. The number of retry attempts a client will make in order to contact a KDC.
  58. Default is KERB_MAX_RETRIES
  59. #define KERB_MAX_RETRIES 3
  60. KerbGlobalKdcSendRetries saves this value
  61. =============================================================================
  62. Value "DefaultEncryptionType" Type REG_DWORD
  63. The default encryption type for PreAuth. As of beta3, this was
  64. KERB_ETYPE_RC4_HMAC_OLD
  65. #ifndef DONT_SUPPORT_OLD_TYPES
  66. KerbGlobalDefaultPreauthEtype = KERB_ETYPE_RC4_HMAC_OLD;
  67. #else
  68. KerbGlobalDefaultPreauthEtype = KERB_ETYPE_RC4_HMAC_NT;
  69. #endif
  70. KerbGlobalDefaultPreauthEtype saves this value
  71. =============================================================================
  72. Value "FarKdcTimeout" Type REG_DWORD
  73. Time in minutes. This timeout is used to invalidate a dc that is in the dc
  74. cache for the Kerberos clients for dc's that are not in the same site as the
  75. client. Default is KERB_BINDING_FAR_DC_TIMEOUT minutes.
  76. #define KERB_BINDING_FAR_DC_TIMEOUT 10
  77. KerbGlobalFarKdcTimeout saves this value as a TimeStamp ( 10000000 * 60 * number of minutes).
  78. =============================================================================
  79. Value "NearKdcTimeout" Type REG_DWORD
  80. Time in minutes. This timeout is used to invalidate a dc that is in the dc
  81. cache for the Kerberos clients for dcs in the same site as the
  82. client. Default is KERB_BINDING_NEAR_DC_TIMEOUT minutes.
  83. #define KERB_BINDING_NEAR_DC_TIMEOUT 30
  84. KerbGlobalNearKdcTimeout saves this value as a TimeStamp ( 10000000 * 60 * number of minutes).
  85. =============================================================================
  86. Value "StronglyEncryptDatagram" Type REG_BOOL
  87. Flag decides whether we do 128 bit encryption for datagram. Default is
  88. KERB_DEFAULT_USE_STRONG_ENC_DG
  89. #define KERB_DEFAULT_USE_STRONG_ENC_DG FALSE
  90. KerbGlobalUseStrongEncryptionForDatagram saves this value.
  91. =============================================================================
  92. Value "MaxReferralCount" type REG_DWORD
  93. Is count of how many KDC referrals client will follow before giving up.
  94. Default is KERB_MAX_REFERRAL_COUNT = 6
  95. KerbGlobalMaxReferralCount saves this value
  96. =============================================================================
  97. Value "KerbDebugLevel" type REG_DWORD
  98. Debug log levels used in DebugLog() macro. Default is DEB_ERROR for CHK builds
  99. and 0 (no logging) for FRE builds. Possible values include:
  101. #define DEB_ERROR 0x00000001
  102. #define DEB_WARN 0x00000002
  103. #define DEB_TRACE 0x00000004
  104. #define DEB_TRACE_API 0x00000008
  105. #define DEB_TRACE_CRED 0x00000010
  106. #define DEB_TRACE_CTXT 0x00000020
  107. #define DEB_TRACE_LSESS 0x00000040
  108. #define DEB_TRACE_TCACHE 0x00000080
  109. #define DEB_TRACE_LOGON 0x00000100
  110. #define DEB_TRACE_KDC 0x00000200
  111. #define DEB_TRACE_CTXT2 0x00000400
  112. #define DEB_TRACE_TIME 0x00000800
  113. #define DEB_TRACE_USER 0x00001000
  114. #define DEB_TRACE_LEAKS 0x00002000
  115. #define DEB_TRACE_SOCK 0x00004000
  116. #define DEB_TRACE_SPN_CACHE 0x00008000
  117. #define DEB_S4U_ERROR 0x00010000
  118. #define DEB_TRACE_S4U 0x00020000
  119. #define DEB_TRACE_BND_CACHE 0x00040000
  120. #define DEB_TRACE_LOOPBACK 0x00080000
  121. #define DEB_TRACE_TKT_RENEWAL 0x00100000
  122. #define DEB_TRACE_U2U 0x00200000
  123. #define DEB_TRACE_LOCKS 0x01000000
  124. #define DEB_USE_LOG_FILE 0x02000000
  126. These values are stored in KerbInfoLevel and KSuppInfoLevel (for common2 routines).
  127. =============================================================================
  128. Value "MaxTokenSize" type REG_DWORD
  129. This sets the QCA value for maximum token size, and is used to allow QCA to
  130. be modified to return a value large enough for tickets containing large numbers
  131. of groups. It is recommended that this value remain less than 50k.
  133. Default #define KERBEROS_MAX_TOKEN 12000
  135. KerbGlobalMaxTokenSize stores this value.
  136. =============================================================================
  137. Value "SpnCacheTimeout" type REG_DWORD
  139. Time in minutes. This timeout is used to determine the lifetime of the SPN cache
  140. entries. Default is 15 minutes. On domain controllers, the default is to not cache SPNs.
  142. Default is #define KERB_SPN_CACHE_TIMEOUT 15
  144. KerbGlobalSpnCacheTimeout stores value as a TimeStamp ( 10000000 * 60 * number of minutes).
  145. =============================================================================
  146. Value "S4UCacheTimeout" type REG_DWORD
  148. Time in minutes. This timeout is used to determine the lifetime of the S4U negative cache
  149. entries, which are used to restrict how many S4UProxy requests hit the wire from a given
  150. machine.
  152. Default is #define KERB_S4U_CACHE_TIMEOUT 15
  154. KerbGlobalS4UCacheTimeout stores value as a TimeStamp ( 10000000 * 60 * number of minutes).
  155. =============================================================================
  156. Value "S4UTicketLifetime" type REG_DWORD
  158. Time in minutes. This timeout is used to determine the lifetime of tickets obtained by S4U
  159. proxy requests.
  161. Default is #define KERB_S4U_TICKET_LIFETIME 15
  163. KerbGlobalS4UTicketLifetime stores value as a TimeStamp ( 10000000 * 60 * number of minutes).
  164. =============================================================================
  165. Value "RetryPdc" type REG_DWORD
  167. 0 or non-zero (FALSE, or TRUE). Determines if we'll attempt to contact the PDC
  168. for password expired errors for AS_REQ.
  170. Default is FALSE.
  172. KerbGlobalRetryPdcstores value as a BOOLEAN
  173. =============================================================================
  174. Value "RequestOptions" type REG_DWORD
  176. Determines if there are additional options that need to be emitted as KdcOptions
  177. in TGS_REQ. Meant for future modifications of kdc options, and can be any
  178. RFC1510 value.
  180. Default is :
  182. #define KERB_ADDITIONAL_KDC_OPTIONS (KERB_KDC_OPTIONS_name_canonicalize)
  184. KerbGlobalKdcOptions stored as a ULONG.
  185. =============================================================================
  186. Value "ClientIpAddresses" type REG_DWORD
  188. 0 or non-zero (FALSE, or TRUE). Determines if we'll add in IP addresses in
  189. AS_REQ, thus forcing the caddr field to contain IP addresses in all tickets.
  191. Default is FALSE, due to DHCP / NAT issues.
  193. #define KERB_DEFAULT_CLIENT_IP_ADDRESSES 0
  195. KerbGlobalUseClientIpAddresses value as a BOOLEAN
  196. =============================================================================
  197. Value "TgtRenewalTime" type REG_DWORD
  199. Time in seconds. Determines amount of time before a TGT expires when
  200. kerberos will attempt to renew the ticket. Only applies to initial TGTs.
  202. Default is #define KERB_DEFAULT_TGT_RENEWAL_TIME 600
  204. KerbGlobalTgtRenewalTime stores value as a TimeStamp ( 10000000 * 60 * number of minutes).
  205. =============================================================================
  206. Value "AllowTgtSessionKey" type REG_DWORD
  208. 0 or non-zero (FALSE, or TRUE). Determines if we'll allow session keys to
  209. be exported with initial, or cross realm TGTs.
  211. Default is FALSE, due to security concerns.
  213. KerbGlobalAllowTgtSessionKey stores value as a BOOLEAN
  214. =============================================================================
  216. *****************************************************************************
  217. *****************************************************************************
  219. KDC Configuration Keys
  221. *****************************************************************************
  222. *****************************************************************************
  224. The following keys apply to the KDC only, and are located at:
  226. HKLM\System\CurrentControlSet\Services\Kdc. The are runtime configurable.
  229. =============================================================================
  230. Value "KdcUseClientAddresses" type REG_DWORD
  232. 0 or non-zero (FALSE, or TRUE). Determines if we'll add in IP addresses in
  233. TGS_REP.
  235. Default is FALSE, due to DHCP / NAT issues.
  237. KdcUseClientAddresses stores value as a BOOLEAN.
  238. =============================================================================
  239. Value "KdcDontCheckAddresses" type REG_DWORD
  241. 0 or non-zero (FALSE, or TRUE). Determines if we'll check IP addresses for
  242. TGS_REQ vs. what's in the TGT caddr field.
  244. Default is TRUE, meaning we won't check IP addresses, due to DHCP and NAT issues.
  246. KdcDontCheckAddresses stores value as a BOOLEAN.
  247. =============================================================================
  248. Value "NewConnectionTimeout" type REG_DWORD
  250. Time in seconds. Determines how long after an initial TCP endpoint connection
  251. that we'll keep listening for data before disconnecting.
  253. Default is 50 seconds.
  255. KdcExistingConnectionTimeout stores value as a ULONG.
  256. =============================================================================
  257. Value "MaxDatagramReplySize" type REG_DWORD
  259. Size in bytes. Determines the upper threshold of UDP packet size in TGS_REP
  260. and AS_REP, before the KDC will return a KRB_ERR_RESPONSE_TOO_BIG requiring
  261. the client to switch to TCP.
  263. Default is #define KERB_MAX_DATAGRAM_REPLY_SIZE 4000
  265. KdcGlobalMaxDatagramReplySize stores value as a ULONG.
  266. =============================================================================
  267. Value "KdcExtraLogLevel" type REG_DWORD
  269. ULONG flag used to determine extra KDC logging in event logs and audits.
  271. Values are:
  273. #define LOG_SPN_UNKNOWN 0x1 - audit SPN unknown errors
  274. #define LOG_PKI_ERRORS 0x2 - log detailed PKINIT errors
  275. #define LOG_ALL_KLIN 0x4 - log all KDC errors with KLIN information.
  277. Default is #define LOG_DEFAULT LOG_PKI_ERRORS
  279. KdcExtraLogLevel stores value as a ULONG.
  280. =============================================================================
  281. Value "KdcDebugLevel" type REG_DWORD
  283. ULONG flag used to determine level of debug spew in DebugLog() macros. Available
  284. in both FRE and CHK builds.
  286. Values are:
  288. #define DEB_ERROR 0x00000001
  289. #define DEB_WARN 0x00000002
  290. #define DEB_TRACE 0x00000004
  291. #define DEB_TRACE_API 0x00000008
  292. #define DEB_TRACE_CRED 0x00000010
  293. #define DEB_TRACE_CTXT 0x00000020
  294. #define DEB_TRACE_LSESS 0x00000040
  295. #define DEB_TRACE_TCACHE 0x00000080
  296. #define DEB_TRACE_LOGON 0x00000100
  297. #define DEB_TRACE_KDC 0x00000200
  298. #define DEB_TRACE_CTXT2 0x00000400
  299. #define DEB_TRACE_TIME 0x00000800
  300. #define DEB_TRACE_USER 0x00001000
  301. #define DEB_TRACE_LEAKS 0x00002000
  302. #define DEB_TRACE_SOCK 0x00004000
  303. #define DEB_TRACE_SPN_CACHE 0x00008000
  304. #define DEB_S4U_ERROR 0x00010000
  305. #define DEB_TRACE_S4U 0x00020000
  306. #define DEB_TRACE_BND_CACHE 0x00040000
  307. #define DEB_TRACE_LOOPBACK 0x00080000
  308. #define DEB_TRACE_TKT_RENEWAL 0x00100000
  309. #define DEB_TRACE_U2U 0x00200000
  310. #define DEB_TRACE_LOCKS 0x01000000
  311. #define DEB_USE_LOG_FILE 0x02000000
  313. Default is DEB_ERROR for CHK builds, and 0 (no logging) for FRE builds.
  315. Additionally, the value:
  317. #define DEB_USE_EXT_ERRORS 0x10000000
  319. will cause the klin macros and extended information to be returned in the
  320. edata field of KERB_ERRORS as PKERB_EXT_ERROR.
  322. KdcInfoLevel and KSuppinfolevel stores value as a ULONG. KSuppInfolevel
  323. determines logging for common2 library.
  324. =============================================================================