cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inquiries related to maximum lifetime for user ticket.

jonghwamun
Microsoft

‎Jul 07 2022 11:16 AM

‎Jul 07 2022 11:16 AM

Inquiries related to maximum lifetime for user ticket.

Good afternoon, my Cx was curious about some questions that came along with Golden Ticket Alert.

 

I tried to figure it out, but was not able to locate sources for the questions. Here are the questions.

Also, I attached the snapshot for better understanding. Thank you in advance!

 

What exactly does "Due to insufficient source data, default maximum lifetime for user tickets" mean?

> About this I assume there is no existing policy set up yet for the particular case, so it applied default settings. Can anybody elaborate what this means?

 

 

What source data is it looking for and how can there be a insufficient amount of it?

> I am not sure, any insights will be appreciated. 

An additional question, What does this alert think the default life of a golden ticket is?

> I was not sure on this either. Please provide any insights.

jonghwamun_0-1657217277232.png

 

V/r,

1,221 Views
1 Like
6 Replies
Reply
6 Replies
Eli Ofek

‎Jul 07 2022 02:03 PM

‎Jul 07 2022 02:03 PM

Re: Inquiries related to maximum lifetime for user ticket.

This comment means that MDI failed to read the default Kerberos policy for the domain (you can probably find error in the Sensor logs).
Since we failed to read it , we assume the default in AD which is 10 hours.
This is important , as if the customer knows the default policy is set to something else, larger, that most chances are this is a false positive, and you need to find out why weren't we able to read the policy so it won't happen again.
1 Like
Reply
gurulee73

‎May 22 2023 09:01 AM

‎May 22 2023 09:01 AM

Re: Inquiries related to maximum lifetime for user ticket.

We are getting flooded with MDI alerts 'Suspected Golden Ticket usage (time anomaly) on one endpoint' and we verified the default domain policy is set to 10 hours for 'maximum lifetime for a user ticket'.
Is there something we should be looking for on the MDI sensor logs that would point to the sensor not being able to read the policy?
0 Likes
Reply
gurulee73

‎May 22 2023 09:03 AM

‎May 22 2023 09:03 AM

Re: Inquiries related to maximum lifetime for user ticket.

Were you able to resolve this and determine if the MDI sensor was unable to ready the policy value?
0 Likes
Reply
gurulee73

‎May 22 2023 09:21 AM

‎May 22 2023 09:21 AM

Re: Inquiries related to maximum lifetime for user ticket.

I checked the MDI sensors and I am not seeing any open health issues being reported. If the sensor is unable to read the domain policy, would it be smart enough to consider this a health issue?
0 Likes
Reply
Eli Ofek

‎May 22 2023 10:21 AM

‎May 22 2023 10:21 AM

Re: Inquiries related to maximum lifetime for user ticket.

@gurulee73 Not being able to read the policy will not trigger a normal health alert in the portal,
as for 99.9% of customers we fallback to the default of 10 hours which works fine.
Please open a support ticket to troubleshoot why the sensor fails to read the correct policy. 

1 Like
Reply
gurulee73

‎May 23 2023 07:06 AM

‎May 23 2023 07:06 AM

Re: Inquiries related to maximum lifetime for user ticket.

So if I understand you correctly, if the MDI sensor did have a problem with reading the domain policy, then it would in fact trigger a sensor health issue. Is that correct?

Also we got this alert for DS object auditing not being configured properly. Would this be related ?
"Directory Services Object Auditing is not configured as required on <domain>..."

I opened a MS SR for assistance
0 Likes
Reply