how to properly renew a renewal TGT

Dave Botsch botsch at
Mon Dec 8 10:24:47 EST 2014

So, from reading the RFC and looking at what kerberos clients do, it
seems there are potentially several different ways to renew a renewable

I'm looking, in this case, at what a MS Windows client does with a MIT
Kerberos KDC, when I *don't* get another renewable TGT on the renewal.

So, at renew time, MS Windows is sending back to the MIT KDC the
original renewable TGT. In the Request Body section, the client requests
a TGT with the following set:

a 'till of 2037-09-13
the Renew option set in the flags

and that's it.

The MIT KDC sends back a new TGT that is not renewable and with the
renew til time the same as the end time.

I suspect that in this case, the MS Client should be also setting the
Renewable OK flag, since it's basically requesting a long term ticket?

Or, it should be requesting specific end and renew til times with the
RENEW and Renewable flags set?


David William Botsch
botsch at

More information about the Kerberos mailing list