Displays a list of currently cached Kerberos tickets. This information applies to Windows Server 2012. For examples of how this command can be used, see Examples.
Apr 02, 2013 Explain like I’m 5 years old: Kerberos – what is Kerberos, and why should I care? While this topic probably can not be explained to a 5 year-old and be understood, this is my attempt at defragmenting documentation with some visual aids and digestible language. In a nutshell Basically, Kerberos comes down to just this: a protocol for authentication uses tickets to authenticate avoids. Ticket management¶. On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as ssh, can forward copies of your tickets to a. This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). This event generates only on domain controllers. If TGT issue fails then you will see Failure event with Result Code field not equal to “0x0”. This event doesn't generate for Result Codes: 0x10, 0x17 and 0x18.
Parameter | Description |
---|---|
-lh | Denotes the high part of the user's locally unique identifier (LUID), expressed in hexadecimal. If neither –lh or –li are present, the command defaults to the LUID of the user who is currently signed in. |
-li | Denotes the low part of the user's locally unique identifier (LUID), expressed in hexadecimal. If neither –lh or –li are present, the command defaults to the LUID of the user who is currently signed in. |
tickets | Lists the currently cached ticket-granting-tickets (TGTs), and service tickets of the specified logon session. This is the default option. |
tgt | Displays the initial Kerberos TGT. |
purge | Allows you to delete all the tickets of the specified logon session. |
sessions | Displays a list of logon sessions on this computer. |
kcd_cache | Displays the Kerberos constrained delegation cache information. |
get | Allows you to request a ticket to the target computer specified by the service principal name (SPN). |
add_bind | Allows you to specify a preferred domain controller for Kerberos authentication. |
query_bind | Displays a list of cached preferred domain controllers for each domain that Kerberos has contacted. |
purge_bind | Removes the cached preferred domain controllers for the domains specified. |
kdcoptions | Displays the Key Distribution Center (KDC) options specified in RFC 4120. |
/? | Displays Help for this command. |
Membership in Domain Admins Governor of poker 2 cd key generator. , or equivalent, is the minimum required to run all the parameters of this command.
If no parameters are provided, Klist will retrieve all the tickets for the currently logged on user.
The parameters display the following information:
tickets
Lists the currently cached tickets of services that you have authenticated to since logon. Displays the following attributes of all cached tickets:
tgt
Lists the initial Kerberos TGT and the following attributes of the currently cached ticket:
purge
Allows you to delete a specific ticket. Purging tickets destroys all tickets that you have cached, so use this attribute with caution. It might stop you from being able to authenticate to resources. If this happens, you will have to log off and log on again.
sessions
Allows you to list and display the information for all logon sessions on this computer.
kcd_cache
Allows you to display the Kerberos constrained delegation cache information.
get
Allows you to request a ticket to the target that is specified by the SPN.
add_bind
Allows you to specify a preferred domain controller for Kerberos authentication.
query_bind
Allows you to display cached, preferred domain controllers for the domains.
purge_bind
Allows you to remove cached, preferred domain controllers for the domains.
kdcoptions
For the current list of options and their explanations, see RFC 4120.
Other considerations