Policy selection for ADMX packs

Policy overview

Key metadata and intent for this policy.

ClassComputer

CategorySystem > KDC

Supported onAt least Windows Server 2012, Windows 8 or Windows RT

Supported OS tags: Windows10, Windows10RT, Windows11, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.

Internal name

TicketSizeThreshold

Policy ID

d54e69cb2655

Elements

Registry values

How enabled and disabled states update the registry.

Registry location	Type	Enabled value	Disabled value
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\EnableTicketSizeThreshold	REG_DWORD	1	0

Policy elements

Inputs and configuration options exposed by this policy.

Element	Type	Registry mapping	Constraints & behavior
Ticket Size Threshold ID TicketSizeThreshold	decimal	HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\TicketSizeThreshold Type REG_DWORD	Range: 12000 to 2147483647

Other policies in this category

Explore related policies at the same level.