Attributes Tab (Principal Information window)

Displays the name of the principal you are editing.

The Allow Postdated attribute specifies if a principal is allowed ticket postdating. Postdating is a mechanism that allows a principal to obtain a ticket that is initially invalid but can become valid at some time in the future.

The Allow Postdated attribute applies to both user and service principals. If the attribute is set for a user principal, the user can be issued either a postdated or postdatable ticket. If this attribute is set for a service principal, the server can issue postdated service tickets for the service.

The Allow Renewable attribute specifies if a principal is allowed to renew its tickets. Renewable tickets are those that a principal can re-validate up to the maximum renewable time.

The Allow Renewable attribute applies to both user and service principals. If this attributes is set for a user principal, then the principal can be issued a renewable ticket. If this attribute is set for a service principal, the server can issue a renewable ticket for the service.

The maximum renew time is set on the General tab of the Principal Information window.

The Allow Forwardable attribute specifies if a principal is allowed ticket forwarding. Forwarding is a mechanism that sends a TGT from one network host to another. The forwarded TGT can be used to generate a new service ticket on the second host system on the principal's behalf.

The Allow Forwardable attribute applies to both user and service principals. If this attribute is set for a user principal, the principal can be issued a forwarded or forwardable ticket. If this attribute is set for a service principal, the server can issue a forwarded service ticket for the service.

The Allow Proxy attribute specifies if a principal is allowed proxy tickets. Proxy tickets allow applications that a principal accesses with a TGT to request a special class of service ticket. This type of service ticket can be moved to another host on the network that acts on the principal's behalf. For example, a print service printing a file.

The Allow Proxy attribute applies to both user and service principals. If this attributes is set for a user principal, the principal can be issued a proxy ticket. If this attribute is set for a service principal, the server can issue a proxy service ticket for the service.

The Duplicate Session Key attribute specifies if a principal is allowed to use a duplicate session key. A duplicate session key. A duplicate session key is used in user-to-user authentication and specifies which key is used to encrypt the tickets.

The Require Preauthentication attribute specifies if a principal is required to use preauthentication in the TGT request. Preauthentication means that additional known encrypted data is sent with the ticket request, providing additional security when the TGT is presented to gain access to a secured service.

The Require Preauthentication attribute applies to users and service principals. If this attribute is set for a user principal, the user is required to be running logon software that performs authentication using the preauthentication protocol. If this attribute is set for a service principal, service cannot accept TGT's from a user principal if the user did not obtain a TGT using a preauthentication protocol.

The Require Password Change Attribute specifies that a principal must change its password during the next logon to the security server. The Require Password Change attribute applies to user principals.

When a new principals added to the database or when a principal's password is changed, this attribute is controlled by the NoReqChangePwd setting in the Principal's Password Policy file. By default, NoReqChangePwd is set to zero, meaning the user must change their password at the first logon.

The Lock Principal attribute specifies if a principal is active. A locked principal still exists in the principal database, but it is unable to use or provide Kerberized services.

The Lock Principal attribute applies to both user and service principals. If this attribute is set for a user principals. If this attribute is set for a user principal, no tickets can be issued to the user. If this attribute is set for a service principal, no tickets are issues for it.

The Lock attribute becomes set when a principal exceeds the maximum number of failed authentication attempts allowable by the password policy file. The default maximum level allowed for failed authentication attempts is five (5). If a principal is locked, an administrative user must unlock the principal before the user can authenticate again.

The Allow As Service attribute specifies whether a Principal is allowed to act as a service. Set this attribute to allow a principal to act as a service (that is, the principal's name is in the server field of the service ticket). This attribute should be selected for any principal that is used as a service principal.

The Allow As Service Attribute can be applied to all principals, not just principals that act solely as service principals. The attribute is selected by default.

	NOTE: User principals need to have this attribute set when using user-to-user authentication.

The Require Initial Authenticaton attribute specifies whether the server is allowed to issue service to the service principal on behalf of a user principal using a previously obtained TGT.

If this attribute is set for the service principal, a user principal is required to go through initial authentication, i.e., required to authenticate to the server again, to obtain a ticket for that service. For example, the Change Password service requires that a principal enter a password to receive a ticket for the change password service. If this attribute is not set, then the server issues a server ticket based on the TGT they already posses.

The Require Initial Authentication attribute only applies to service principals. If this attribute is selected for a principal being edited or created, the Allow as Service attribute is automatically selected.

The Set As Password Change Service attribute specifies whether the server is allowed to issue initial tickets to this service principal for user principals whoose passwords have expired.