Maximum lifetime for user ticket renewal This policy setting determines the period of time (in days) during which a user's ticket-granting ticket (TGT) can be renewed. To prevent 'replay attacks,' the Kerberos authentication protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be synchronized as closely as possible. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum elapsed time within which a Kerberos negotiation must complete; the elapsed time is computed from the timestamps. The value of this setting limits the maximum time difference that can be tolerated between the domain controller and the client computer.

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy!Maximum lifetime for user ticket renewal (2) WMI: root\rsop\computer#RSOP_SecuritySettingNumeric#Setting#KeyName='MaxRenewAge'