Klist
Updated: April 17, 2012
Applies To: Windows Server 2008 R2
Displays a list of currently cached Kerberos tickets. For examples of how this command can be used, see Examples.
Syntax
klist [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>] tickets | tgt | purge
Parameters
Parameter | Description |
---|---|
-lh |
Denotes the high part user’s logon identifier (LUID) expressed in hexadecimal. If neither –lh or –li are present, the command defaults to the LUID of the user who is currently logged on. |
-li |
Denotes the low part of the user’s logon identifier (LUID) expressed in hexadecimal. If neither –lh or –li are present, the command defaults to the LUID of the user who is currently logged on. |
tickets |
Lists the currently cached ticket granting tickets, and service tickets of the specified logon session. This is the default option. |
tgt |
Displays the initial Kerberos ticket-granting-ticket (TGT). |
purge |
Allows you to delete all the tickets of the specified logon session. |
/? |
Displays Help for this command. |
Remarks
If no parameters are provided, Klist will retrieve all the tickets for the currently logged on user.
The parameters will display the following information:
tickets
Lists the currently cached tickets of services that you have authenticated to since logon. Displays the following attributes of all cached tickets:
LoginID: The LUID.
Client: The concatenation of the client name and the domain name of the client.
Server: The concatenation of the service name and the domain name of the service.
KerbTicket Encryption Type: The encryption type that is used to encrypt the Kerberos ticket.
Ticket Flags: The Kerberos ticket flags.
Start Time: The time from which the ticket will be valid.
End Time: The time the ticket becomes no longer valid. When a ticket is past this time, it can no longer be used to authenticate to a service or be used for renewal.
Renew Time: The time beyond the point where a new initial authentication is required.
Session Key Type: The encryption algorithm that is used for the session key.
tgt
The initial Kerberos TGT and the following attributes of the currently cached ticket:
LoginID: Identified in hexadecimal.
ServiceName: krbtgt.
TargetName <SPN>: krbtgt
DomainName: Name of the domain issuing the TGT.
TargetDomainName: Domain that the TGT is issued to.
AltTargetDomainName: Domain that the TGT is issued to.
Ticket Flags: Address and target actions and type.
Session Key: Key length and encryption algorithm.
StartTime: Local computer time that the ticket was requested.
EndTime: Time the ticket becomes no longer valid. When a ticket is past this time, it can no longer be used to authenticate to a service.
RenewUntil: Deadline for ticket renewal.
TimeSkew: Time difference with the Key Disribution Center (KDC).
EncodedTicket: Encoded ticket.
purge
Allows you to delete a specific ticket. Purging tickets will destroy all tickets that you have cached, so use this attribute with caution. It might stop you from being able to authenticate to resources. If this happens, you will have to log off and log on again.
- LoginID is identified in hexadecimal.
Other considerations
- Klist.exe is available in Windows Server 2008 R2 and Windows 7, and it requires no special installation.
Examples
When diagnosing an Event ID 27 (while processing a TGS request for the target server (<server>), the account (<account>) did not have a suitable key for generating a Kerberos ticket), you can use Klist to query the Kerberos ticket cache to determine if any tickets are missing, the target server or account are in error, or the encryption type is not supported.
klist
When you diagnose errors, and you want to know what the specifics of each ticket-granting-ticket that is cached on the computer for a logon session, you can use Klist to display the TGT information.
klist tgt
If you are unable to establish a connection and diagnosis might take too long, you can purge the Kerberos ticket cache, log off, and then log back on.
klist purge