Access Denied: Edit Ticket Lifetime

My domain controllers' (DCs') Security logs are recording frequent occurrences of event ID 677 (i.e., Service Ticket Request Failed) with failure code 32. The failure code 32s seem directly related to the User Ticket Lifetime and the Service Ticket Lifetime parameters. Increasing these parameters' times results in far fewer event ID 677s, but the events still occur. The renewal process seems to cause an error even though renewal request succeeds. What's happening?

You're correct about ticket lifetime. Whenever a user or client application needs to access a domain service (e.g., file sharing, Active Directory—AD), Windows 2000 obtains a Kerberos ticket that lets the client access the service. Kerberos tickets have a maximum lifetime specified in hours and a maximum renewal limit specified in days. The default maximum lifetime for user tickets and service tickets is 10 hours. The default maximum renewal for user tickets is 7 days, and service tickets have no maximum renewal policy.

Win2K uses user tickets when users access resources on the network. Win2K uses service tickets when a computer's service needs to access another computer's service. For example, local workstations must regularly check the DC for group policy changes. The maximum ticket-renewal limit is 7 days. Win2K automatically renews tickets when they expire, and eventually Win2K tries to renew a ticket beyond the ticket's renewal limit. The renewal then fails and generates event ID 677 with failure code 32. Failure code 32 is benign: Kerberos reissues a ticket despite the warning.

The failure codes you find in event ID 677 come directly from the Kerberos error codes in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 1510. You can edit ticket lifetime and other Kerberos policies in Group Policy Objects (GPOs) under computer configurationwindows settingssecurity settingsaccount policieskerberos policy, as Figure 4 shows. Don't extend ticket lifetime too much, however, because doing so gives an attacker more time to attempt to break the ticket—an unlikely, but not impossible, event.