Usually when authenticating with kerberos, kerberos provides a valid tgt. Until expiration, the service renews by itself from the domain policy. However you can force a renewal through
#kdestroy
then as the service user kinit with the service/server keytab
#kinit -kt /etc/security/keytabs/nifi.headless.keytab