GSSAPI Error: The Referenced Context has Expired (Unknown Error)

Error

Occasionally, you may see multiple errors in the logs.

Mar 4 07:34:59 linuxhost lsass: GSSAPI Error: The referenced context has expired (Unknown error)

This may or may not be associated with slow logins.

Cause

If a user does not enter their password for 8 hours after they initially logged in, the Kerberos ticket will expire and may not be renewed. This is the default Kerberos expiration time. There may be issues with user load or concurrency, which could prevent the ticket from being refreshed.

Other reasons you must renew a user's Kerberos ticket include when the user is using:

• Single sign-on (SSO)
• Another SSH client
• An SMB client. For example, using Nautilus from a workstation desktop.
• NFSv4 mounts

Resolution

If you don't need SSO, you can turn off the following configuration setting (enabled by default), which may improve performance:

Name: RefreshUserCredentials
Description: Whether to refresh user credentials against AD domain controller
Type: boolean
Current Value: true
Accepted Values: true, false

Current Value is determined by local policy.

You may also use a group policy to manage this centrally. Typically located under the Authorization and Identification group, configure the Lsassd: Enable user credential refreshing setting.