Inquiries related to maximum lifetime for user ticket.


Good afternoon, my Cx was curious about some questions that came along with Golden Ticket Alert.


I tried to figure it out, but was not able to locate sources for the questions. Here are the questions.

Also, I attached the snapshot for better understanding. Thank you in advance!


What exactly does "Due to insufficient source data, default maximum lifetime for user tickets" mean?

> About this I assume there is no existing policy set up yet for the particular case, so it applied default settings. Can anybody elaborate what this means?



What source data is it looking for and how can there be a insufficient amount of it?

> I am not sure, any insights will be appreciated. 

An additional question, What does this alert think the default life of a golden ticket is?

> I was not sure on this either. Please provide any insights.




1 Reply
This comment means that MDI failed to read the default Kerberos policy for the domain (you can probably find error in the Sensor logs).
Since we failed to read it , we assume the default in AD which is 10 hours.
This is important , as if the customer knows the default policy is set to something else, larger, that most chances are this is a false positive, and you need to find out why weren't we able to read the policy so it won't happen again.