1
00:00:06,430 --> 00:00:13,530
You deployed Cerberus policies sentence for the entire domain from the default domain policy.

2
00:00:13,540 --> 00:00:22,540
This policy is for domain user and computer accounts and determines cobras related settings such as

3
00:00:22,810 --> 00:00:31,200
ticket lifetime sound enforcement Cerberus policies do not exist in the local computer policy they Gerber

4
00:00:31,200 --> 00:00:39,790
as policy configuration options contains settings for the Gerber US version 5 authentication protocol

5
00:00:39,820 --> 00:00:49,990
ticket Grant and ticket or TGT the session ticket lifetime and timestamp sadness for most organizations

6
00:00:50,080 --> 00:00:58,090
the default settings are appropriate we will find the Gerber policy in the group policy object ed in

7
00:00:58,090 --> 00:01:06,820
the account policy setting or section of the computer configuration node on security set and speech

8
00:01:07,090 --> 00:01:15,190
under the password down to account lock out policies Gerber is in an authentication protocol that issues

9
00:01:15,280 --> 00:01:25,450
identity tickets which allow entities to prove who they are to other entities in a secure manner Canberra's

10
00:01:25,750 --> 00:01:34,720
has several unique advantages as an authentication protocol it has the ability to provide delegated

11
00:01:34,720 --> 00:01:44,260
authentication by allowing Windows operating system services to impersonate a gland computer when accessing

12
00:01:44,410 --> 00:01:54,560
resources for read Cerberus provides single sign on for domain user assent computers by issuing DG D

13
00:01:54,800 --> 00:02:05,380
that they can trade for session tickets to access specific server sessions Garbus has expansive interoperability

14
00:02:05,650 --> 00:02:15,610
with other network and components because Cerberus is part of two CPI pursuit of non proprietary protocols

15
00:02:15,850 --> 00:02:23,650
Cerberus provides a more efficient authentication with servers because you use Gerber assertion tickets

16
00:02:23,950 --> 00:02:31,450
presented by user level services for approved access to server resources.

17
00:02:31,450 --> 00:02:40,540
Finally Cerberus delivers mutual authentication because the server presents its credentials back to

18
00:02:40,540 --> 00:02:42,640
the user level services.

19
00:02:42,640 --> 00:02:46,590
Now let's talk about Cerberus policy you can use there.

20
00:02:46,590 --> 00:02:57,280
Gerber as policy in a GPO to enforce user sign in restrictions and to define dress codes for maximum

21
00:02:57,280 --> 00:03:06,820
service and user ticketed lifetime maximum user ticket renewal lifetime and the maximum time computer

22
00:03:07,120 --> 00:03:16,370
clocks can be out of synchronization the following certain Sara Whalen will enforce user log on restrictions.

23
00:03:16,370 --> 00:03:25,720
This setting determines if the Gerber US version 5 key distribution center or gay DC Bill will indeed

24
00:03:25,830 --> 00:03:33,100
ever assertion ticket request against the user accounts user rights policy.

25
00:03:33,100 --> 00:03:42,280
This can add extra security but it is not required chosen to enforce user log on restrictions can slow

26
00:03:42,280 --> 00:03:46,360
down services access to network resources.

27
00:03:46,360 --> 00:03:48,910
This set in is enabled by default.

28
00:03:48,910 --> 00:03:53,540
The next set in is maximum lifetime for a service ticket.

29
00:03:53,560 --> 00:04:01,600
It defines the maximum time as a service ticket as well it for authenticating client access to a particular

30
00:04:01,600 --> 00:04:02,280
service.

31
00:04:02,470 --> 00:04:10,780
If the service ticket expires before the client requests the server connection the server will respond

32
00:04:10,810 --> 00:04:19,570
with a narrower and the client redirects requests back to the key DC to receive a new service ticket.

33
00:04:19,630 --> 00:04:28,540
This maximum lifetime must be at least 10 minutes but not greater than the maximum lifetime for a user

34
00:04:28,540 --> 00:04:29,190
ticket.

35
00:04:29,320 --> 00:04:37,450
By default the maximum service ticket lifetime is six hundred minutes or ten hours.

36
00:04:37,450 --> 00:04:41,560
The next set in its maximum lifetime for a user ticket.

37
00:04:41,680 --> 00:04:47,360
It sets the amount of time a user account TGT is valid.

38
00:04:47,440 --> 00:04:54,400
The default is turn our next run as maximum lifetime for user ticket renewal.

39
00:04:54,400 --> 00:05:01,940
It sets the amount of time and days for which the user accounts TGT can be renewed.

40
00:05:01,960 --> 00:05:03,970
The default is 7 days.

41
00:05:03,970 --> 00:05:09,090
Next up is maximum total runs for computer clock synchronization.

42
00:05:09,160 --> 00:05:17,260
It determines the amount of time the client computer's clock can be out of sync with the domain controller.

43
00:05:17,260 --> 00:05:26,140
The primary domain controller or PTC emulator operation master role on a domain determines the correct

44
00:05:26,140 --> 00:05:28,160
time for the entire domain.

45
00:05:28,150 --> 00:05:37,060
The domain replication packets of TGT and service tickets are time stamped and the times on the various

46
00:05:37,120 --> 00:05:42,100
tickets and packets are verified between corresponded computers.

47
00:05:42,370 --> 00:05:49,310
However it is possible for any two computers to be out of sync on their clocks.

48
00:05:49,330 --> 00:05:55,920
Administrators can said the amount of time by which the clocks can be out of sync.

49
00:05:55,960 --> 00:05:58,890
The default for the certain is five minutes.

50
00:05:58,900 --> 00:06:07,720
Now you can create access control based on claims and compound to authentication by deploying dynamic

51
00:06:07,810 --> 00:06:10,390
access control or DAC.

52
00:06:10,390 --> 00:06:19,300
You must ensure that you have sufficient Windows Server 2000 8 or newer domain controllers available

53
00:06:19,570 --> 00:06:23,160
that use these new authorization types.

54
00:06:23,200 --> 00:06:31,600
The key DC administrative template policies set and allows you to configure a domain controller to support

55
00:06:31,870 --> 00:06:38,320
claims and compound authentication for DEC and Cobras are maroon.

56
00:06:38,680 --> 00:06:47,950
Additionally Windows Server 2012 for newer domain controller is required for Canberra's clients running

57
00:06:47,950 --> 00:06:58,540
the Windows time Windows 8 1 or Windows 8 operating systems to support claims and compound authentication

58
00:06:58,550 --> 00:07:01,210
by using Gerber as authentication.

59
00:07:01,210 --> 00:07:09,760
Please note the devices that are run on Windows 8 and newer operating systems will fail authentication

60
00:07:09,880 --> 00:07:17,950
if they can not find a domain controller that is run in Windows Server 2012 or newer.

61
00:07:17,980 --> 00:07:25,240
You must ensure that there are sufficient domain controllers that are run on Windows Server 2012 or

62
00:07:25,240 --> 00:07:32,320
newer for an account referral and resource domains that are supported.

63
00:07:32,320 --> 00:07:35,940
Next up we'll see how to configure domain account policies.