2.3. Renewable Tickets

Purpose

Applications may desire to hold tickets that can be valid for long periods of time. However, this can expose their credentials to potential theft for equally long periods. Renewable tickets can be used to mitigate the consequences of theft.

How Renewable Tickets Work

Two Expiration Times

Renewable tickets have two "expiration times":

First expiration: When the current instance of the ticket expires
Second expiration: The latest permissible value for an individual expiration time

Renewal Process

Application client must periodically (before it expires) present a renewable ticket to the KDC
Set the RENEW option in the KDC request
KDC issues a new ticket with:
- New session key
- Later expiration time
- All other fields left unmodified

Security Features

When the latest permissible expiration time arrives, the ticket expires permanently
At each renewal, the KDC MAY consult a hot-list to determine whether the ticket had been reported stolen since its last renewal
KDC will refuse to renew stolen tickets
Usable lifetime of stolen tickets is reduced

RENEWABLE Flag Interpretation

The RENEWABLE flag in a ticket is:

Normally only interpreted by the ticket-granting service (Section 3.3)
Can usually be ignored by application servers
However, some particularly careful application servers MAY disallow renewable tickets

Configuration

If a renewable ticket is not renewed by its expiration time, the KDC will not renew the ticket
The RENEWABLE flag is reset by default
A client MAY request it be set by setting the RENEWABLE option in the KRB_AS_REQ message
If set, the renew-till field in the ticket contains the time after which the ticket may not be renewed

Purpose​

How Renewable Tickets Work​

Two Expiration Times​

Renewal Process​

Security Features​

RENEWABLE Flag Interpretation​

Configuration​