Kerberos ticket expiry for SSO in ELM

The Microsoft Active Directory Key Distribution Center (KDC) or domain controller has the final authority on Kerberos ticket expiry times.

By using global policy settings, administrators can limit the time period that a ticket remains valid for a specific user on a specific client. The default ticket expiry time for Active Directory is 10 hours, with a minimum of 1 hour. After a ticket expires, it cannot be used.

Before a ticket expires, it can be renewed if this setting is configured in Active Directory. The time period for ticket renewal is also limited. The default time period is 7 days, with a minimum of 1 day.

If the client ticket is obtained by using Microsoft Windows logon credentials and the ticket is not expired, Windows attempts to renew the ticket. If the ticket expires, the client is challenged for credentials again. In this scenario, Windows usually provides a warning message that it does not have a valid ticket. If the user locks the client computer and then unlocks it by providing logon credentials, a new ticket is issued.

Normally, if a client ticket is obtained by using the UNIX kinit utility, the user can further limit the ticket expiry times by editing the client krb5.conf file. However, the IBM JRE ignores these client-side limits and any renewal values. Therefore, if you use either the IBM JRE kinit utility or the UNIX kinit utility, assume that the ticket does not renew itself.

If the client is running on UNIX and the ticket is not expired, the user can renew the ticket without providing credentials by running the kinit -R command. This command can be run in a script, as a cron job, or from the command line.

video icon Video channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community forums library

support icon Support

IBM Support Community
Deployment wiki