Penn Computing

University of Pennsylvania
Penn Computing << go backback

Using Kerberos for Macintosh, the Ticket Manager for Mac OS X

Kerberos ticket manager software is designed to manage authentication (identity verification) across multiple online services that recognize the Kerberos protocol. To learn more, see "Getting Started in a Kerberized Environment," and "Kerberos Tickets and How They Work."

This document provides instructions for:


Starting the Kerberos application

In Mac OS X, Kerberos is treated as an application like any other, rather than as a Control Panel. Open the Kerberos application by double-clicking its icon in the "Applications" window.

Getting a Kerberos Ticket

You will need to obtain a Kerberos Ticket-Granting Ticket (TGT), or "master ticket," only once per computing session. By default, this ticket is valid for ten hours. You will need to get a new ticket after restarting and logging into your machine, after destroying existing tickets, or if you allow a ticket to expire.

To get a Kerberos ticket:

  1. Open the Kerberos application. The Kerberos window will displayed with an empty ticket scroll list.
    [screen shot of Kerberos window]

  2. Click the Get Tickets button in the Kerberos window.

  3. In the Username: field, type your PennKey.

  4. Make sure the Realm: field shows "v5 UPENN.EDU."

  5. Type your password in the Password: field, then click the OK button.
    Note: Kerberos passwords are case-sensitive. Your password will not be displayed as you type it.

  6. If your login is successful, you will return to the Kerberos window. In the ticket scroll list, you will see a ticket entitled "v5[yourPennKey]@UPENN.EDU"

Renewing a Kerberos ticket

Should you find yourself working during a very prolonged session, you may wish to renew your ticket in order to prevent your work from being interrupted by ticket expiration.

To renew your tickets:

  1. Open Kerberos application. Note the remaining time listed next to the ticket at the top of your ticket scroll list.

  2. Click the Renew Tickets button in the Kerberos window. The Kerberos login window appears and you will be prompted to re-enter your password.

  3. Type your password in the Password: field, then click the "OK" button.

  4. If your renewal is successful, the remaining time listed next to the ticket at the top of your ticket scroll list will have increased to the length of a full new session.

Destroying a Kerberos ticket

To prevent others from using your account information from your computer, be sure to destroy any Kerberos tickets before leaving your computer. You will subsequently need to obtain new tickets to gain access using Kerberized clients.

To destroy your tickets:

  1. Open the Kerberos application. The Kerberos window will display with content appearing in the ticket scroll list.
    [screen shot of Kerberos window with active tickets]

  2. Click the Destroy Tickets button in the Kerberos window.
    Note: You cannot selectively destroy some tickets while preserving others. Destroying tickets is an "all-or-nothing" action.

  3. Confirm there are no active tickets by making sure the scroll list of the Kerberos window is empty.

  4. Quit the Kerberos application.

Changing your Kerberos/PennKey password

You need to have an active Kerberos ticket in order to change your Kerberos/PennKey password. See the section "Getting a Kerberos ticket" for instructions.

Then, to change your password:

  1. Click the Change Password button in the Kerberos window. The Kerberos Change Password window appears.

  2. Type your old password and your new password where prompted, then click the "OK" button.
    Note: You may wish to consult the "Rules for Password selection" page for suggestions on how to create a strong PennKey password.

  3. If your password change is successful, you will be shown a confirmation screen.

Quitting the Kerberos program

To quit the Kerberos program, simply click on its close window button in the upper left corner of the window.

Important Note: Quitting the program does not destroy your active tickets -- you must manually destroy tickets to ensure that nobody else can use them.

Information Systems and Computing
University of Pennsylvania
Information Systems and Computing, University of Pennsylvania