Kerberos List Main Topic | Next

Kerberos List Syntax

klist [-?] [tickets | tgt | purge]

Where:

-?

Display command-line help.

tickets

Lists the currently-cached tickets of services that you have authenticated to since logon. Displays the following attributes of all cached tickets:

Option	Description
Server	Server and domain for the ticket.
KerbTicket Encryption Type	Encryption type used to encrypt the Kerberos ticket.
End Time	Time the ticket becomes no longer valid. Once a ticket is past this time, it can no longer be used to authenticate to a service.
Renew Time	If the ticket is a renewable ticket (see TicketFlags below), then this is the maximum lifetime of the ticket. In order to continue using this ticket it must be renewed before the End Time. It can be renewed as long at it is before the End Time and is before the RenewUntil time.

tgt

Lists the initial Kerberos ticket-granting-ticket (TGT). Displays the following attributes of the currently-cached ticket:

Option	Description
ServiceName	A TGT (ticket-granting-ticket) is a ticket for the KDC service. The service name for a TGT is "krbtgt".
TargetName	Service name the ticket was requested for. This is the name of a servicePrincipalName property on an account in the directory.
FullServiceName	Canonical name of the account principal for the service.
DomainName	The domain name of the service.
TargetDomainName	For a cross realm ticket, this is the realm in which the ticket is good instead of the issuing realm.
AltTargetDomainName	The name supplied to InitializeSecurityContext that generated this ticket, usually an SPN.
TicketFlags	Kerberos ticket flags set on the current ticket in hexadecimal. The KerbTray tool displays these flags visually in the Flags tab.
KeyExpirationTime	The key expiration time from the KDC reply.
Start time	Time the ticket becomes valid.
End Time	Time the ticket becomes no longer valid. Once a ticket is past this time, it can no longer be used to authenticate to a service.
RenewUntil	If the ticket is a renewable ticket (see TicketFlags), then this is the maximum lifetime of the ticket. In order to continue using a ticket it must be renewed. Tickets must be renewed before both the End Time and RenewUntil times expire.
TimeSkew	The reported time difference between the client computer and the server computer for a ticket.

purge

Allows you to delete a specific ticket. Purge tickets will destroy all tickets that you have cached, so use this with caution. It might stop you from being able to authenticate to resources. If this happens you will have to logoff and logon again.