Renewable TGTs
When tickets are renewable, session keys are refreshed periodically without issuing a completely new ticket. If Kerberos policy permits renewable
tickets, the KDC sets a RENEWABLE flag in every ticket it issues and sets two expiration times in the ticket. One expiration time limits the life of the current instance of the ticket; the second expiration time sets a limit on the cumulative lifetime of all
instances of the ticket.
The expiration time for the current instance of the ticket is held in the End Time field. As with non-renewable tickets, the value in the End Time
field equals the value in the Start Time field plus the value of the maximum ticket life specified by Kerberos policy. A client holding a renewable ticket must send itpresenting a fresh authenticator as wellto the KDC for renewal before the end time is reached.
When the KDC receives a ticket for renewal, it checks the value of a second expiration time held in the Renew Till field. This value is set when the ticket is first issued. It equals the value in the tickets Start Time field plus the value of the maximum cumulative
ticket life specified by Kerberos policy. When the KDC renews the ticket, it checks to determine if the renew-till time has not yet arrived. If it has not, the KDC issues a new instance of the ticket with a later end time and a new session key.
This means that administrators can set Kerberos policy so that tickets must be renewed at relatively short intervalsevery day, for example. When
tickets are renewed, a new session key is issued, minimizing the value of a compromised key. Administrators can also set cumulative ticket life for a relatively long periodone week or one month, for example. At the end of that time, the ticket expires and
is no longer valid forrenewal."
Source :
https://social.technet.microsoft.com/Forums/windowsserver/en-US/e0c6a401-1609-47c9-8f1c-6437b98bef2a/how-does-kerberos-ticket-or-tgt-get-renewed-or-refreshed?forum=winserversecurity