krb5.cache.infinite.renewal.batch.groups

This configuration parameter specifies a list of Active Directory groups whose members’ Kerberos credentials require infinite renewal even after the users have logged out.

Requirements to use this parameter:

• Specified groups must be Active Directory groups.

• Groups do not need to be zone enabled.

• To have their credentials automatically renewed, users in the group must:

  • Be zone enabled (that is, mapped users are not supported).

  • Log into the desired system once using the Account Password.

You must use the following format to specify group names:

SamAccountName@domain

For example:

krb5.cache.infinite.renewal.batch.groups: test_group_sam@example.com

By default, this parameter does not list any groups.

You can also use group policy to set this parameter.