Your renew until timestamp is same as Valid starting. This confirms that your TGT is not renewable. There could be two reasons for this. 1. Your principal in kdc is still being created without the correct  max_renewable_life You can check this from kadmin by doing a getprinc on  hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM. If it is incorrect then you have to delete these principals and recreate. 2. Your krb5.conf does not have the right  renew_lifetime, you should set it to match the  max_renewable_life in kdc.conf. For compatability with MIT KDC client libraries and Java you should set it in seconds. So for example if your  max_renewable_life is 7d then set  renew_lifetime = 604800   Also make sure that in the CM Kerberos configuration " Kerberos Renewable Lifetime" and " Kerberos Ticket Lifetime"  are set to match what you have set in kdc.conf   ... View more

On the node that is running hue/kerberos ticket renewer, can you restart hue service and run the following and reply with the output?   KRB5CCNAME=/tmp/hue_krb5_ccache klist -fe       ... View more

If you generated the principals before the property was added, you would either have to modify your principals or regenerate them.   You can check if your principals have been setup with right renewable parameters by launching kadmin[.local] and running getprinc on a principal   You should see  Maximum renewable life: 7 days 00:00:00 ... View more

When you kinit and then run klist -f Do you see a R flag? Are your expiration time and renew until time same on your ticket? If so have you configured ticket renewal on the KDC side? If you are using MIT KDC in your kdc.conf you'll need something like max_renewable_life = 7d ... View more