Overview#

Klist lists the Kerberos Principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file.

Klist is on both Windows and is in the MIT User Commands.

The command syntax is slightly different depending on the platform.

Command line#

Klist #

Issuing Klist with no parameters will return all the "Cached Tickets" along with information similar to:

C:\Users\userid>klist

Current LogonId is 0:0x13bd47

Cached Tickets: (5)

#0>     Client: userid @ YOURDOMAIN.NET
        Server: krbtgt/servername.yourdomain.net @ YOURDOMAIN.NET
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 10/30/2013 7:23:44 (local)
        End Time:   10/30/2013 17:23:44 (local)
        Renew Time: 11/6/2013 7:23:44 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96#1>     Client: userid @ YOURDOMAIN.NET
        Server: cifs/servername.yourdomain.net @ YOURDOMAIN.NET
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 10/30/2013 8:12:02 (local)
        End Time:   10/30/2013 17:23:44 (local)
        Renew Time: 11/6/2013 7:23:44 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)#2>     Client: userid @ YOURDOMAIN.NET
        Server: LDAP/servername.yourdomain.net/YOURDOMAIN.NET @ YOURDOMAIN.NET
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
        Start Time: 10/30/2013 8:12:02 (local)
        End Time:   10/30/2013 17:23:44 (local)
        Renew Time: 11/6/2013 7:23:44 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96#3>     Client: userid @ YOURDOMAIN.NET
        Server: cifs/servername.yourdomain.net @ YOURDOMAIN.NET
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 10/30/2013 8:12:01 (local)
        End Time:   10/30/2013 17:23:44 (local)
        Renew Time: 11/6/2013 7:23:44 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)#4>     Client: userid @ YOURDOMAIN.NET
        Server: host/yourworkstation.nwie.net @ YOURDOMAIN.NET
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 10/30/2013 7:23:44 (local)
        End Time:   10/30/2013 17:23:44 (local)
        Renew Time: 11/6/2013 7:23:44 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

• LogonID: or The LUID: Identified in hexadecimal
• Client: The concatenation of the client name and the domain name of the client
• Server: The concatenation of the service name and the domain name of the service
• KerbTicket Encryption Type: The encryption type that is used to encrypt the Kerberos ticket
• Ticket Flags: The Kerberos ticket flags
• Start Time: The time from which the ticket will be valid
• End Time: The time the ticket becomes no longer valid. When a ticket is past this time, it can no longer be used to authenticate to a service or be used for renewal
• Renew Time: The time that a new initial authentication is required
• Session Key Type: The encryption algorithm that is used for the session key

Klist tgt#

Using the argument "tgt" will show the parameters of the "tgt" similar to:

C:\Users\userid>klist tgt |more
Current LogonId is 0:0x13bd47
Cached TGT:

ServiceName        : krbtgt
TargetName (SPN)   : krbtgt
ClientName         : userid
DomainName         : YOURDOMAIN.NET
TargetDomainName   : YOURDOMAIN.NET
AltTargetDomainName: YOURDOMAIN.NET
Ticket Flags       : 0x40e00000 -> forwardable renewable initial pre_authent
Session Key        : KeyType 0x12 - AES-256-CTS-HMAC-SHA1-96
                   : KeyLength 32 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
StartTime          : 10/30/2013 7:23:44 (local)
EndTime            : 10/30/2013 17:23:44 (local)
RenewUntil         : 11/6/2013 7:23:44 (local)
TimeSkew           :  + 0:00 minute(s)
EncodedTicket      : (size: 1742)
0000  61 82 06 ca 30 82 06 c6:a0 03 02 01 05 a1 0a 1b  a...0...........
<-- remaining content suppressed for space reasons -->

• LogonID: Identified in hexadecimal
• ServiceName: krbtgt
• TargetName <SPN>: krbtgt
• DomainName: Name of the domain that issues the TGT
• TargetDomainName: Domain that the TGT is issued to
• AltTargetDomainName: Domain that the TGT is issued to
• Ticket Flags: Address and target actions and type
• Session Key: Key length and encryption algorithm
• StartTime: Local computer time that the ticket was requested
• EndTime: Time the ticket becomes no longer valid. When a ticket is past this time, it can no longer be used to authenticate to a service.
• RenewUntil: Deadline for ticket renewal
• TimeSkew: Time difference with the Key Distribution Center (KDC)
• EncodedTicket: Encoded ticket

Klist purge#

Allows you to delete a specific ticket. Purging tickets destroys all tickets that you have cached, so use this attribute with caution. It might stop you from being able to authenticate to resources. If this happens, you will have to log off and log on again.

More Information#

There might be more information for this subject on one of the following:

• Initiate Kerberos
• Kerberos Tools
• Kerberos Tools Windows
• Kinit
• Troubleshooting Kerberos