Kerberos Ticket Renewal on MacOS Mountain Lion

The active directory integration in Mountain Lion is getting pretty good, certainly much better than the early 10.7 days.  Several applications integrate quite well, offering kerberos single sign on, such as Safari, and the Microsoft Office apps.  One thing I do not like about kerberos on MacOS is that when my TGT expired it would not auto-renew. That means Safari wouldn’t perform SSO, and some tools like Lync or Communicator would start prompting for passwords.  The easiest way to deal with this is to open a terminal and type “kinit”.  This would prompt for your password and will issue a new ticket. As easy as it is, I don’t like it, so I went looking for a solution, and as luck would have it there is an easy solution.  If you set this up, each time you authenticate to the screensaver, or unlock the keychain the OS will get a new ticket granting ticket, which is much better … one downside is that it will not renew the ticket if you are logged in and the ticket expires.  But my screen lock timeout is short enough anyways, so it will reduce much of the pain. Here’s how to do it … (it’s super simple!) Open the “Keychain Access” application, and under the “Keychain Access” dropdown menu select “Ticket Viewer”.
Screen Shot 2013-01-30 at 12.59.09 PM
Once that opens, you should see some tickets … note the principle name (case matters, so it needs to match how your directory services are configured.)  Click on Add, type your principle name, password, and uncheck the remember password box (that setting might cause you to lock your domain account when you change your password–depending on lockout policy.)  Then click continue.  It takes a few seconds to work, so be patient.  Once it is added (all the other tickets will likely disappear) highlight the principle and click on the “Set as Default” button.  Now when you unlock the screensaver (or the keychain) it will request a new TGT, so it’s less likely that you will have timeouts.  I did find one bug … if the Ticket Viewer application is open and running when a new key is issued it will crash, and all your tickets will be deleted; so close the application before testing.