Skip to main content

Kerberos Tickets

Online services that are protected by Kerberos will ask to see your Kerberos "ticket" before they will let you in. This web page tells how to get Kerberos tickets and safeguard them against unauthorized use.

How to Get a Ticket

When you use a service that needs a ticket, a window opens that requests your Network ID and password.

Password prompt on Windows
Kerberos password window on Windows

Password prompt on Macintosh
Kerberos password window on Macintosh

  1. Enter your Network ID (your initials followed by a number) by itself, without @cornell.edu. Type it in all lowercase letters; Kerberos does not recognize uppercase letters in NetIDs.
  2. Enter your password exactly as you typed it when you first selected it. It may contain both uppercase and lowercase letters. Make sure the Caps Lock key on your keyboard is not down -- accidentally pressing this key (and so entering your password in all uppercase letters) is one of the most common problems people have with Kerberos.
  3. Click the OK button.

If you mistype your password, you will see "Kerberos error 62: Password incorrect", then the window above will reopen to give you another chance to type your password correctly.

When you type your password correctly, the window above will close, and one or more of the ticket indicators shown below may appear on your screen.

How long does a ticket last?

On a personal computer, the ticket is good for up to eight hours on Windows or 10 hours on a Macintosh. In public computing labs, tickets expire after a few minutes, because a different person could sit down at the same computer every few minutes.

As long as you have an active ticket, you can use any Kerberized service without the need to enter your password again. Some particularly sensitive Kerberized services ask you to enter your password frequently as an additional safety measure.

How to tell when you have a ticket

When you have an active ticket (i.e., a ticket that has not expired), you will see indications on your screen:

On Windows:

key A small yellow key appears in the system tray (lower right corner of your screen), and
An (optional) small window displays your NetID on a colored background, and "floats" on top of other windows.
nokey If the small yellow key has a red circle with a slash (a "no key" icon), that means you don't have a ticket right now, so it is safe to leave your computer.
key nokey The key icon, with or without a slash, also means that SideCar, a program that helps some Kerberized services interact with Kerberos, is running. You can use SideCar to specify your preferences for several Kerberos options.

On a Macintosh,

icon A small yellow key appears at the bottom of the Kerberos icon in the upper right corner of your screen.
icon If the Kerberos icon does not have a small yellow key, that means you don't have a ticket right now, so it is safe to leave your computer.

Be Sure to Clear Your Ticket

Although the Kerberos system can reliably protect access to your information, you need to take action to ensure that an active ticket does not remain on your computer when others might have access to it. If you leave your computer without clearing your Kerberos ticket, someone else could come along and look up your private information, change your course schedule, or bill printouts to your bursar account. You can clear your ticket in multiple ways:

  • On Windows, by closing the NetID window.
  • On Windows, by clicking on the small yellow key and choosing "Log out" from the pop-up menu.
  • On a Macintosh, by clicking on the Kerberos icon icon and choosing "Destroy Tickets" from the pull-down menu.
  • By choosing "Forget Password" from the Special menu in Eudora (note: this does not always work as designed with Windows). Eudora will "forget" your password by clearing your Kerberos ticket. Your Network ID password will not be reset or changed. Please note that simply quitting Eudora will not clear your Kerberos ticket.
  • By restarting or shutting down your computer.

After you clear a ticket, you will need to re-enter your password when you next try to use a Kerberized service.