DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 323931 - Last Review: February 27, 2014 - Revision: 3.3

This article was previously published under Q323931
This article has been archived. It is offered "as is" and will no longer be updated.

On This Page

SUMMARY

If you log on to your computer by using a smart card, you may receive a prompt to refresh your credentials if you remain logged on for a long time.

MORE INFORMATION

Background

When a user logs on using a smart card, Kerberos grants the user a ticket granting ticket (TGT). With the TGT, the user can acquire tickets to access other resources on the network without typing any credentials. The TGT lasts for a fixed amount of time. At the end of this lifetime, the user must refresh it. To do so, the user must supply credentials by logging on. When you log on, the TGT is automatically updated. When Windows determines that the user has an expired TGT, an icon and a message appear on the taskbar of the user's computer. The message informs the user to update their credentials.

TGT Refresh

The TGT has a default lifetime of 10 hours. If a user is logged on for more than 10 hours, the TGT expires and the user must refresh the TGT. If the smart card is in the reader, the TGT is refreshed. If the smart card is not in the reader, the TGT is not refreshed and all later attempts to access the network fail. To work around this behavior, the user must log off, and then log on to the computer to get a new TGT.

TGT Renewal in Windows XP and Windows 2000 SP2 and Later

By default, the TGT has a default lifetime of 10 hours, but the user can renew it for up to 7 days. The renewal does not require credentials. The renewal occurs only if the user uses the TGT within 5 minutes of its expiration. Otherwise the TGT expires and the user must refresh it (which requires credentials).

TGT Renewal in Windows Server 2003

By default, the TGT has a default lifetime of 10 hours, but the user can renew it for up to 7 days. The renewal does not require credentials. The renewal occurs by using a scavenger thread on the computer. If the user cannot renew the TGT, it expires and the user must refresh it (which requires credentials).

Cached Credentials

If the user logs on with cached credentials, the user cannot refresh the TGT by unlocking (even without cached credentials, unlocking does not reliably refresh the TGT on Windows 2000). Otherwise, the user can refresh the TGT by unlocking and by re-inserting the card.

APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Standard Edition
Keywords: 
kbnosurvey kbarchive kbinfo KB323931
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support