Creating authentication policies

Before we create policies, we need to enable DAC support for domain controllers and devices. DAC allows administrators to apply access control permissions and restrictions based on rules that can include the characteristics of the resources.

To enable DAC for domain controllers, perform the following steps:

  1. Go to the Group Policy Management MMC.
  2. Edit Default Domain Controllers Policy.
  3. Go to Computer Configuration | Policies | Administrative Templates | System | KDC.
  4. Click on Enabled to enable KDC support for claims, compound authentication and Kerberos armoring.
  5. Under the options, select Always provide claims and click on OK. This will ensure that it always returns claims for accounts and supports the RFC behavior to advertise Flexible Authentication Secure Tunneling (FAST):

To enable DAC for computers, perform the following steps:

  1. Go to the Group Policy Management MMC.
  2. Edit Default Domain Policy.
  1. Go to Computer Configuration | Policies | Administrative Templates | System | Kerberos.
  2. Click on Enabled in Kerberos client support for claims, compound authentication and Kerberos armoring.
  3. Once this is done, we can create a new authentication policy using the New-ADAuthenticationPolicy cmdlet. This can also be created using ADAC:

As an example, let's create a new authentication policy called AP_1hr_TGT with a TGT lifetime of 60 minutes:

New-ADAuthenticationPolicy -Name "AP_1hr_TGT" -UserTGTLifetimeMins 60 -Enforce

In the preceding command, -UserTGTLifetimeMins defines the TGT lifetime for user accounts and the -Enforce parameter enforces policy restrictions.