Ticket-Granting Tickets and Tickets to Services
A ticket-granting ticket allows a principal to request and receive tickets to DCE services, such as to a Distributed File System server, to read a file. The tickets that let principals access DCE services are called service tickets.
Both ticket-granting tickets and service tickets have lifetimes that are determined by the settings for individual accounts and registry policies and properties. When a principal's ticket-granting ticket expires, the principal is no longer considered an authenticated user. An unauthenticated principal's access to objects other than those on the local machine is severely curtailed, and the principal's ability to use DCE services becomes extremely limited. To remedy this, the principal must reauthenticate by running the kinit command (see the kinit(8sec) reference page) or by logging out and logging in again to DCE.
If you flag an account as able to renew service tickets, the principal's service tickets are renewed automatically by the authentication service, requiring no action on the principal's part. Note, however, that the lifetime allocated to a service ticket can never exceed the time remaining on the principal's ticket-granting ticket (TGT).