As the person quoted right at the beginning, I should probably contribute my findings here. I don't believe that ticket refresh is an issue. I can quite happily refresh, destroy, or replace my Kerberos credentials from under a running GSSAPI context, without causing that context to break. The issue (if there is an issue) is that Heimdal and MIT's behaviour differ when the initiator's credentials do actually expire. Heimdal allows the context to continue to be used for wrapping operations past expiry - MIT expires the context, and calls to wrap() or unwrap () fail. This difference in behaviour is an issue when using SASL applications with security layers, as the only way to renew the context is to reconnect to the server. In addition, many applications have inadequate error handling around their security layer implementations. I suspect that the current MIT behaviour is correct. Whilst there's no explicit language in RFC2743, it suggests that the length of time for which the context will be valid depends on credential lifetime. Simon.