3.3.5.6.3 Check Account Policy for Every TGT Request

Kerberos V5 does not enforce revocation of accounts prior to the expiration of issued tickets.

If the POLICY_KERBEROS_VALIDATE_CLIENT bit is set in the AuthenticationOptions (section 3.3.1) setting on the KDC, then KILE will enforce revocation on the KDCs and the KDC MUST verify that the account and return the following errors:

  • If Disabled is TRUE, then the KDC MUST return KDC_ERR_CLIENT_REVOKED.

  • If Expired is TRUE, then the KDC MUST return KDC_ERR_CLIENT_REVOKED.

  • If Locked is TRUE, then the KDC MUST return KDC_ERR_CLIENT_REVOKED.

  • If the current time is not within LogonHours, then the KDC MUST return KDC_ERR_CLIENT_REVOKED.

  • If PasswordMustChange is in the past, then the KDC MUST return KDC_ERR_KEY_EXPIRED.

  • If PasswordMustChange is zero, then the KDC MUST return KDC_ERR_KEY_EXPIRED.

  • If the KILE implementation uses Active Directory for the account database and the userAccountControl attribute ([MS-ADTS] section 2.2.16) SR flag is set to TRUE, because this is a password-based logon the KDC MUST return STATUS_SMARTCARD_LOGON_REQUIRED.