Maximum lifetime for service ticket

This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user ticket.

If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that is used to authenticate the connection expires during the connection.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Kerberos Policy


clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.


600 minutes (10 hours).

Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

Kerberos Policy security settings are not registry keys.

Reboot required: 


Related content