> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# TruU's Kerberos Behavior on macOS

> This is a FAQ document regarding TruU's Kerberos Token Behavior on the Mac Authenticator.

## Configuration

* For users that are enrolled in TruU, they will get their Kerberos realm from the **NT Principle** name that is in the smart card certificate.
* Administrators can configure their ticket lifetimes on the **KDC** or via the **KRB5.conf** file.
* **TruU does not alter or participate in any of this configuration setup.**

## Obtaining a Kerberos Ticket

* TruU uses the smart card certificate to passwordlessly authenticate WHILE obtaining a Kerberos ticket.
* If Kerberos is not disabled in the config file, TruU will try to obtain a Kerberos ticket following several different scenarios:
  * Following successful user enrollment
  * When the user logs in
  * When the system wakes from sleep state
  * When the network changes
* **NOTE**: network connectivity to the domain controller is required to successfully obtain the Kerberos ticket.

## Renewing a Kerberos Ticket

* TruU will try to renew a Kerberos ticket immediately following the expiration of the current ticket.
* If TruU is unseccessful in renewing the Kerberos ticket at first, it will continue to try once a minute until there is network connectivity to the DC and it's status reads "successful"

## Miscellaneous

* If you manually destroy a kerberos ticket with kdestroy, you will have to either log out/login the user OR restart the system to have TruU begin requesting a new Kerberos ticket for the user.
* **NOTE**: If the user logs out or tries to restart the system, their old tickets will be destroyed.

***

[Biometric Permission](/docs/biometric-consent-permissions)

[How to Disable Password Login on Windows](/docs/how-to-disable-password-login-on-windows)