OS X and Active Directory Integration: Kerberos TGT Renewal

Results of a klist command showing an expired TGT

Results of a klist command showing an expired TGT

It takes a little work to get OS X working completely with Active Directory, and one of the issues that will confound users is the use of Kerberos within OS X. Apple has built Kerberos into OS X so that it will work out of the box, although this functionality most likely comes from OS X's BSD origins and not from any type of groundwork truly done by Apple. Mostly, Kerberos works as intended.

The one frustrating component of OS X's Kerberos implementation is that it will not auto-renew an expired Ticket Granting Ticket (TGT) by default. Since many users do not actually log out of their desktops at the end of the day and log back in later, it is common for an OS X system with default settings to expire a user's TGT and cause users to be presented with password prompts when attempting to access various resources. There are two methods of overcoming this limitation:

  1. Open Terminal and use the 'kinit' command. This will prompt you for your user password, then use this credential to request a new TGT.
  2. In System Preferences -> Security & Privacy -> General, set the option "Require password after sleep or screen saver begins" to "Immediately." When you wake your computer from sleep, activate the screen saver with a hot corner, or return to the computer after the screen saver has activated, the system will prompt you for your credentials. Once you authenticate, the system will use the credentials to renew your TGT if it has expired.

For the average user, option 2 will obviously be easier. If you are using some sort of device management solution, you can enforce the sleep or screen saver re-authentication setting for all users. Of course this has security benefits other than just allowing users to use Kerberos, so enabling this should be a no-brainer.