List cached Kerberos tickets. List the Kerberos principal and Kerberos tickets held in a credentials cache.
Syntax
klist [command]
commands:
tickets [-lh logonID.highpart] [-li logonID.lowpart]
List the currently cached ticket-granting-tickets (TGTs), and service tickets of the specified logon session.
This is the default option.
cloud_debug
Cloud /Hybrid login TGTs and debug info.
get SPN [-lh logonID.highpart] [-li logonID.lowpart] [-kdcoptions options] [-cachecoptions options]
Request a ticket to the target computer specified by the service principal name (SPN).
kdcoptions - Requests a ticket with the given KDC options specified in RFC 4120.
kcd_cache [-lh logonID.highpart] [-li logonID.lowpart]
Display the Kerberos Constrained Delegation cache information.
LogonID: If specified, displays the cache information for the logon session by the given value.
If not specified, displays the cache information for the current user's logon session.
purge [-lh logonID.highpart] [-li logonID.lowpart]
Delete all the tickets of the specified logon session.
Allows you to delete a specific ticket. Purging tickets destroys all tickets that you have cached, so use
this attribute with caution. It might stop you from being able to authenticate to resources. If this happens,
you'll have to log off and log on again.
sessions [-lh logonID.highpart] [-li logonID.lowpart]
Display a list of logon sessions on this computer.
add_bind Domain DC
Specify a preferred domain controller for Kerberos authentication.
query_bind
Display a list of cached preferred domain controllers for each domain that Kerberos has contacted.
purge_bind
Remove the cached preferred domain controllers for the domains specified.
tgt [-lh logonID.highpart] [-li logonID.lowpart]
Display the initial Kerberos ticket-granting-ticket TGT.
/? Display Help.
Key
-lh Denotes the high part of the user’s locally unique identifier (LUID), expressed in hex.
-li Denotes the low part of the user’s locally unique identifier (LUID), expressed in hexadecimal.
If neither -lh nor -li are present, the command defaults to the LUID of the currently signed in user.
If no parameters are provided, klist retrieves all the tickets for the currently logged on user.
Each LogonId is divided into two sections, high-part and low-part, separated with a colon ':'
for example:
HighPart:LowPart
0:0x3e7
Domain joined machines obtain Kerberos tickets under two sessions, identified below along with the Low Part of the LogonId. These two accounts will always use the same Low Part LogonId. They should never change.
tickets - Displays the following attributes of all cached tickets:
LogonID: The LUID.
Client: The concatenation of the client name and the domain name of the client.
Server: The concatenation of the service name and the domain name of the service.
KerbTicket Encryption Type: The encryption type that is used to encrypt the Kerberos ticket.
Ticket Flags: The Kerberos ticket flags. Start Time: The time from which the ticket is valid.
End Time: The time the ticket becomes no longer valid. When a ticket is past this time, it can no longer be used to authenticate to a service or be used for renewal.
Renew Time: The time that a new initial authentication is required.
Session Key Type: The encryption algorithm that is used for the session key.tgt - Displays the following attributes for the currently cached ticket:
LogonID: Identified in hex.
ServiceName: krbtgt
TargetName SPN: krbtgt
DomainName: Name of the domain that issues the TGT.
TargetDomainName: Domain that the TGT is issued to.
AltTargetDomainName: Domain that the TGT is issued to.
Ticket Flags: Address and target actions and type.
Session Key: Key length and encryption algorithm.
StartTime: Local computer time that the ticket was requested.
EndTime: Time the ticket becomes no longer valid. When a ticket is past this time, it can no longer be used to authenticate to a service.
RenewUntil: Deadline for ticket renewal.
TimeSkew: Time difference with the Key Distribution Center (KDC).
EncodedTicket: Encoded ticket.Other options will display the LogonID: Identified in hex
Klist.exe is a current Windows command, but an older version was also provided in early Windows Resource kits.
Query the Kerberos ticket cache to determine if any tickets are missing, if the target server or account is in error, or if the encryption type is not supported due to an Event ID 27 error:
C:\> klist
Query only local System Tickets:
C:\> klist –li 0x3e7
To learn about the specifics of each ticket-granting-ticket that is cached on the computer for a logon session, the value of “StartTime” will change when a Kerberos ticket is refreshed:
C:\> klist tgt
Purge the Kerberos ticket cache, this will update the User Process AD Group Membership without requiring a Restart or Logoff:
C:\> klist purge
Purge only local System Tickets, the local device will always have a LogonId of 0x3e7:
C:\> klist purge –li 0x3e7
Purge the Computer account kerberos tickets, this will refresh AD Group Membership without a Reboot:
C:\> klist -lh 0 -li 0x3e7 purge
Diagnose a logon session and to locate a logonID for a user or a service:
C:\> klist sessions
Diagnose Kerberos constrained delegation failure, and to find the last error that was encountered:
C:\> klist kcd_cache
Diagnose if a user or a service can get a ticket to a server, or to request a ticket for a specific SPN:
C:\> klist get host/%computername%
To diagnose replication issues across domain controllers, you typically need the client computer to target a specific domain controller. To target the client computer to the specific domain controller:
C:\> klist add_bind CONTOSO KDC.CONTOSO.COM
C:\> klist add_bind CONTOSO.COM KDC.CONTOSO.COM
Query which domain controllers were recently contacted by this computer:
C:\> klist query_bind
Rediscover domain controllers, or to flush the cache before creating new domain controller bindings with klist add_bind:
C:\> klist purge_bind
“Find out who you are and do it on purpose” ~ Dolly Parton
Gpupdate /force - Refresh Group policy, which will generate a new kerberos ticket.
Equivalent bash command (Linux): klist - Display a list of currently cached Kerberos tickets.