how to properly renew a renewal TGT

Greg Hudson ghudson at
Tue Dec 9 14:03:24 EST 2014

On 12/08/2014 10:24 AM, Dave Botsch wrote:
> So, at renew time, MS Windows is sending back to the MIT KDC the
> original renewable TGT. In the Request Body section, the client requests
> a TGT with [only the Renew kdc-option set].
> The MIT KDC sends back a new TGT that is not renewable and with the
> renew til time the same as the end time.

There is an argument that the Microsoft client is reasonable and our KDC
behavior is incorrect.  RFC 4120 states "The KDC will issue a new ticket
with a new session key and a later expiration time.  All other fields of
the ticket are left unmodified by the renewal process."

> I suspect that in this case, the MS Client should be also setting the
> Renewable OK flag, since it's basically requesting a long term ticket?

renewable-ok has a different meaning; it means "if I requested a
lifetime longer than the maximum allowable ticket lifetime, please give
me a renewable ticket for as much of the remainder as you are willing to
let me renew it for."

Practically, the Microsoft client should probably set the renewable flag
for renewal requests because neither the MIT krb5 nor the Heimdal KDC
(by my reading) will set the renewable ticket flag if there it is not in
the request options.

More information about the Kerberos mailing list