Warning for large Kerberos tickets

Supported OS tags: Windows10, Windows10RT, Windows11, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.

• Computer
  Allow name-based strong mappings for certificates

  At least Windows Server 2019, Windows 10 Version 2004
• Computer
  Configure hash algorithms for certificate logon

  At least Windows 11 Version 22H2
• Computer
  KDC support for claims, compound authentication and Kerberos armoring

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  KDC support for PKInit Freshness Extension

  At least Windows Server 2016, Windows 10
• Computer
  Provide information about previous logons to client computers

  At least Windows Vista
• Computer
  Request compound authentication

  At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1
• Computer
  Use forest search order

  At least Windows Server 2008 R2 or Windows 7