Kdcoptions: Requests a ticket with the given KDC optionsĪdd_bind - Allows you to specify a preferred domain controller for Kerberos authentication. If not specified, requests a ticket by using the current user's logon session. LogonID: If specified, requests a ticket by using the logon session by the given value. Get - Allows you to request a ticket to the target that is specified by the SPN.
If not specified, displays the cache information for the current user's logon session.
If this happens, you'll have to log off and log on again. It might stop you from being able to authenticate to resources. Purging tickets destroys all tickets that you have cached, so use this attribute with caution. Purge - Allows you to delete a specific ticket. TimeSkew: Time difference with the Key Distribution Center (KDC). When a ticket is past this time, it can no longer be used to authenticate to a service. StartTime: Local computer time that the ticket was requested.ĮndTime: Time the ticket becomes no longer valid. Session Key: Key length and encryption algorithm. Ticket Flags: Address and target actions and type. TargetDomainName: Domain that the TGT is issued to.ĪltTargetDomainName: Domain that the TGT is issued to. Tgt - Lists the initial Kerberos TGT and the following attributes of the currently cached ticket:ĭomainName: Name of the domain that issues the TGT. Session Key Type: The encryption algorithm that is used for the session key. Renew Time: The time that a new initial authentication is required. When a ticket is past this time, it can no longer be used to authenticate to a service or be used for renewal. Start Time: The time from which the ticket is valid.Įnd Time: The time the ticket becomes no longer valid. KerbTicket Encryption Type: The encryption type that is used to encrypt the Kerberos ticket. Server: The concatenation of the service name and the domain name of the service. Displays the following attributes of all cached tickets:Ĭlient: The concatenation of the client name and the domain name of the client. Tickets - Lists the currently cached tickets of services that you have authenticated to since logon. The parameters display the following information: If no parameters are provided, klist retrieves all the tickets for the currently logged on user. Removes the cached preferred domain controllers for the domains specified.ĭisplays the Key Distribution Center (KDC) options specified in RFC 4120. This is the default option.Īllows you to delete all the tickets of the specified logon session.ĭisplays a list of logon sessions on this computer.ĭisplays the Kerberos constrained delegation cache information.Īllows you to request a ticket to the target computer specified by the service principal name (SPN).Īllows you to specify a preferred domain controller for Kerberos authentication.ĭisplays a list of cached preferred domain controllers for each domain that Kerberos has contacted. Lists the currently cached ticket-granting-tickets (TGTs), and service tickets of the specified logon session. If neither –lh nor –li are present, the command defaults to the LUID of the user who is currently signed in. If neither –lh nor –li are present, the command defaults to the LUID of the user who is currently signed in.ĭenotes the low part of the user's locally unique identifier (LUID), expressed in hexadecimal. Syntax klist tickets | tgt | purge | sessions | kcd_cache | get | add_bind | query_bind | purge_bindĭenotes the high part of the user's locally unique identifier (LUID), expressed in hexadecimal. You must be at least a Domain Admin, or equivalent, to run all the parameters of this command.