Principal Name 

The name of the principal (the primary/instance part of a fully-qualified principal name). A principal is a unique identity to which the KDC can assign tickets.

If you are modifying a principal, you cannot edit a principal's name. 

Password 

The password for the principal. You can use the Generate Random Password button to create a random password for the principal. 

Policy 

A menu of available policies for the principal. 

Account Expires 

The date and time on which the principal's account expires. When the account expires, the principal can no longer get a ticket-granting ticket (TGT) and may not be able to log in. 

Last Principal Change  

The date on which information for the principal was last modified. (Read-only) 

Last Changed By 

The name of the principal that last modified the account for this principal. (Read-only) 

Comments 

Comments related to the principal (for example, 'Temporary Account') 

Last Success 

The date and time when the principal last logged in successfully. (Read-only) 

Last Failure 

The date and time when the last login failure for the principal occurred. (Read-only) 

Failure Count 

The number of times that there has been a login failure for the principal. (Read-only) 

Last Password Change 

The date and time when the principal's password was last changed. (Read-only) 

Password Expires 

The date and time when the principal's current password will expire. 

Key Version 

The key version number for the principal; this is normally changed only when a password has been compromised. 

Maximum Lifetime (seconds) 

The maximum length of time for which a ticket can be granted for the principal (without renewal). 

Maximum Renewal (seconds) 

The maximum length of time for which an existing ticket can be renewed for the principal. 

Disable Account 

When checked, prevents the principal from logging in. This is an easy way to freeze a principal account temporarily for any reason. 

Require Password Change 

When checked, expires the principal's current password, forcing the user to use the kpasswd command to create a new password. This is useful if there is a security breach and you need to make sure that old passwords are replaced.

Allow Postdated Tickets 

When checked, allows the principal to obtain postdated tickets.  

For example, you may need to use postdated tickets for cron jobs that must run after hours and can't obtain tickets in advance because of short ticket lifetimes. 

Allow Forwardable Tickets 

When checked, allows the principal to obtain forwardable tickets. 

Forwardable tickets are tickets that are forwarded to the remote host to provide a single-sign-on session. For example, if you are using forwardable tickets and you authenticate yourself through ftp or rsh, other services, such as NFS services, are available without your being prompted for another password.

Allow Renewable Tickets 

When checked, allows the principal to obtain renewable tickets. 

A principal can automatically extend the expiration date or time of a ticket that is renewable (rather than having to get a new ticket after the first one expires). Currently, the NFS service is the only service that can renew tickets. 

Allow Proxiable Tickets 

When checked, allows the principal to obtain proxiable tickets. 

A proxiable ticket is a ticket that can be used by a service on behalf of a client to perform an operation for the client. With a proxiable ticket, a service can take on the identity of a client and obtain a ticket for another service, but it cannot obtain a ticket-granting ticket. 

Allow Service Tickets 

When checked, allows service tickets to be issued for the principal. 

You should not allow service tickets to be issued for the kadmin/hostname and changepw/hostname principals. This ensures that these principals can only update the KDC database.

Allow TGT-Based Authentication 

When checked, allows the service principal to provide services to another principal. More specifically, it allows the KDC to issue a service ticket for the service principal. 

This attribute is valid only for service principals. When not checked, service tickets cannot be issued for the service principal. 

Allow Duplicate Autentication 

When checked, allows the user principal to obtain service tickets for other user principals. 

This attribute is valid only for user principals. When not checked, the user principal can still obtain service tickets for service principals, but not for other user principals. 

Required Preauthentication 

When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until it can authenticate (through software) that it is really the principal requesting the TGT. This preauthentication is usually done through an extra password, for example, from a DES card. 

When not checked, the KDC does not need to preauthenticate the principal before it sends a requested TGT to it. 

Required Hardward Authentication 

When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until it can authenticate (through hardware) that it is really the principal requesting the TGT. Hardware preauthentication can be something like a Java ring reader. 

When not checked, the KDC does not need to preauthenticate the principal before it sends a requested TGT to it. 

Policy Name 

The name of the policy. A policy is a set of rules governing a principal's password and tickets. 

If you are modifying a policy, you cannot edit a policy's name. 

Minimum Password Length 

The minimum length for the principal's password. 

Minimum Password Classes 

The minimum number of different character types required in the principal's password. 

For example, a minimum classes value of 2 means that the password must have at least two different character types, such as letters and numbers (hi2mom). A value of 3 means that the password must have at least three different character types, such as letters, numbers, and punctuation (hi2mom!). And so on.  

A value of 1 basically sets no restriction on the number of password character types. 

Saved Password History 

The number of previous passwords that have been used by the principal and cannot be reused. 

Minimum Password Lifetime (seconds) 

The minimum time that the password must be used before it can be changed. 

Maximum Password Lifetime (seconds) 

The maximum time that the password can be used before it must be changed. 

Principals Using This Policy 

The number of principals to which this policy currently applies. (Read-only)