| Principal | Displays the name of the principal you are editing. |
LDAP DN | Displays the LDAP DN that you are editing. |
| Allow Postdated | Specifies whether a principal is allowed
for ticket postdating. Postdating is a mechanism that allows a principal
to obtain a ticket that is initially invalid, but that can become
valid at some time in the future. The Allow Postdated
attribute applies to both user and service principals. If you set the
attribute for a user principal, the user can be issued a postdated
or postdatable ticket. If you set the attribute for a service principal,
the server can issue postdated service tickets for the service. |
Allow Renewable Tickets | Specifies if a principal is allowed to
renew tickets. Renewable tickets are those that a principal can
revalidate up to the maximum renewable time. The Allow
Renewable attribute applies to both user and service principals.
If you set the attributes for a user principal, the principal can
be issued a renewable ticket. If you set this attribute for a service principal,
the server issues a renewable ticket for the service. You
can set the maximum renewable time in the Principal Information>General
tab. |
Allow Forwardable | Specifies if a principal is allowed ticket forwarding.
Forwarding is a process that sends a ticket-granting ticket (TGT)
from one network host to another host. The second host system can
use the forwarded TGT to generate a new service ticket on behalf
of the principal. The Allow Forwardable attribute applies
to both user and service principals. If you set this attribute for
a user principal, the principal can be issued a forwarded or forwardable
ticket. If you set this attribute for a service principal, the server
can issue a forwarded service ticket for the service. |
Allow Proxy | Specifies if a principal is allowed proxy tickets.
Proxy tickets allow applications that a principal accesses with
a TGT to request a special class of service ticket. You can move this
type of service ticket to another host on the network that acts
on behalf of the principal, for example, a print service printing
a file. The Allow Proxy attribute applies to both user
and service principals. If you set this attribute for a user principal,
the principal can be issued a proxy ticket. If you set this attribute
for a service principal, the server can issue a proxy service ticket
for the service. |
Allow Duplicate Session
Keys | Specifies if a principal is allowed to
use a duplicate session key. A duplicate session key is used in
user-to-user authentication and specifies which key is used to encrypt the
tickets. |
Require Preauthentication | Specifies if a principal is required
to use preauthentication in the TGT request. Preauthentication means
that additional known encrypted data is sent with the ticket request,
providing additional security when the TGT is presented to gain
access to a secured service. The Require Preauthentication
attribute applies to user and service principals. If this attribute
is set for a user principal, the user is required run the logon
software that performs authentication using the preauthentication
protocol. If this attribute is set for a service principal, the
service cannot accept TGTs from a user principal if the user did
not obtain a TGT using a preauthentication protocol. |
Require Password Change | Specifies that a principal must change
its password during the next logon to the Kerberos server. The Require
Password Change attribute applies to user principals. When
new principals are added to the database or when the password of
the principal is changed, this attribute is controlled by the NoReqChangePwd setting in the password policy file of the principal.
By default, NoReqChangePwd is set to 0 (zero), meaning that users must change their passwords
during first logon. |
Lock Principal | Specifies if a principal is active. A
locked principal still exists in the principal database, but it
is unable to use or provide Kerberos services. The
Lock Principal attribute applies to both user and service principals.
If you set this attribute for a user principal, tickets cannot be
issued to the user. If you set this attribute for a service principal,
tickets are not issued to it. When a principal exceeds
the maximum number of failed authentication attempts allowed by
the password policy file, the Lock attribute is set. The default
maximum level allowed for failed authentication attempts is 5. If
a principal is locked, an administrative user must unlock the principal
before the user authenticates. |
Allow As Service | Specifies if a principal is allowed to
act as a service. Set this attribute to allow a principal to act
as a service (that is, the name of the principal is in the server
field of the service ticket). You must select this attribute for
any principal that is used as a service principal. You
can apply the Allow As Service attribute to all principals, in addition
to principals that act solely as service principals. The attribute
is selected by default.  | | | |  | NOTE: User principals must have
this attribute set when using user-to-user authentication. | | | | |
|
Require Initial Authentication | Specifies if the server is allowed to
issue service to the service principal on behalf of a user principal
using a previously obtained TGT. If you set this attribute
for the service principal, a user principal must authenticate to
the server again, to obtain a ticket for that service. For example,
the Change Password service requires that a principal enter a password
to receive a ticket for the Change Password service. If you do not
set this attribute, the server issues a server ticket based on the
TGT that it already possesses. The Require Initial Authentication attribute
applies only to service principals. If you select this attribute
for a principal being edited or created, the Allow as Service attribute
is automatically selected. |
Set As Password Change
Service | Specifies if the server is allowed to
issue initial tickets to this service principal for user principals
whose passwords have expired. |
Printable version
