
Administering the Kerberos Server
Attributes Tab (Principal Information Window)
Chapter 8172
Specifies if a principal is required to use
preauthentication in the TGT request.
Preauthentication means that additional
known encrypted data is sent with the
ticket request, providing additional security
when the TGT is presented to gain access to
a secured service.
The Require Preauthentication attribute
applies to user and service principals. If this
attribute is set for a user principal, the user
is required run the logon software that
performs authentication using the
preauthentication protocol. If this attribute
is set for a service principal, the service
cannot accept TGTs from a user principal if
the user did not obtain a TGT using a
preauthentication protocol.
Require Password
Specifies that a principal must change its
password during the next logon to the
Kerberos server. The Require Password
Change attribute applies to user principals.
When new principals are added to the
database or when the password of the
principal is changed, this attribute is
controlled by the NoReqChangePwd setting
in the password policy file of the principal.
By default, NoReqChangePwd is set to 0
(zero), meaning that users must change
their passwords during first logon.
Table 8-12 Attributes Tab Components (Continued)
Components Description