3.2.5.4 Kerberos Policy
If the Key value is any value other than those listed as valid in the table in section 2.2.2, the client MUST stop processing Kerberos policy settings and log an error.
The existing Kerberos Policy MUST be retrieved by performing the external behavior consistent with locally invoking LsarQueryDomainInformationPolicy ([MS-LSAD] section 3.1.4.4.7).
The PolicyHandle MUST be set to a policy handle opened by performing external behavior consistent with locally invoking LsarOpenPolicy ([MS-LSAD] section 3.1.4.4.2) with DesiredAccess set to MAXIMUM_ALLOWED ([MS-LSAD] section 2.2.1.1.1).
The InformationClass MUST be set to PolicyDomainKerberosTicketInformation ([MS-LSAD] section 2.2.4.15).
Next, the existing Kerberos policy MUST be updated with the settings in Kerberos Policy (section 2.2.2) by performing the external behavior consistent with locally invoking LsarSetDomainInformationPolicy ([MS-LSAD] section 3.1.4.4.8).
The PolicyHandle MUST be set to a policy handle opened by performing external behavior consistent with locally invoking LsarOpenPolicy ([MS-LSAD] section 3.1.4.4.2) with DesiredAccess set to MAXIMUM_ALLOWED ([MS-LSAD] section 2.2.1.1.1).
The InformationClass MUST be set to PolicyDomainKerberosTicketInformation ([MS-LSAD] section 2.2.4.15).
The PolicyDomainInformation MUST be set to a POLICY_DOMAIN_KERBEROS_TICKET_INFO structure returned by querying existing Kerberos policy and updated using the following mapping table. Each element of the POLICY_DOMAIN_KERBEROS_TICKET_INFO structure in the right column is set, with the settings in Kerberos Policy, to the value assigned to the corresponding key in the left column. If the TicketValidateClient setting is set to "true", then the AuthenticationOptions bit POLICY_KERBEROS_VALIDATE_CLIENT MUST be set.
Group Policy: Security Protocol Extension
LSAD POLICY_DOMAIN_KERBEROS_TICKET_INFO structure
MaxServiceAge
MaxServiceTicketAge
MaxTicketAge
MaxTicketAge
MaxRenewAge
MaxRenewAge
MaxClockSkew
MaxClockSkew
TicketValidateClient
AuthenticationOptions bit POLICY_KERBEROS_VALIDATE_CLIENT