By default, the agent verifies a user's TGT by retrieving and verifying a service ticket for the local system. This check is done to prevent a well-known attack (the Zanarotti or screen-saver attack) whereby a rogue KDC could respond to the agent’s request for the user’s TGT.
However, the spoofing check can be time consuming, so you can set this parameter to false to disable the spoofing check and significantly improve authentication performance.
For example, to disable the check:
If this parameter is not defined in the configuration file, the default value is true.