Kerberos Basic Troubleshooting: Tip 1

Published on Sunday, June 6, 2010 in , , ,

I intended to write a single entry about Kerberos Basic Troubleshooting, but it would have grown way to long. So instead I decided to write one tip a week. The tips should help you out with simple Kerberos issues. Keep in mind that anyone can run into Kerberos issues whilst not specifically enabling a service for Kerberos. Since Windows 2000 Kerberos is the default authentication mechanism and as such can cause trouble to you. So perhaps I should say “Authentication Basic Troubleshooting tips”.

The tip of today will be KLIST (and Kerbtray).

Klist can list or purge tickets for a given session and is available in W2008 and up. For W2003 or lower klist is available in the resource kit tools. Some sample usage scenario’s:

Usage 1: “klist”: list the tickets of the current user . You can clearly see the difference between the “Ticket Granting Tickets” and the “Service Tickets”. Mostly the Service Tickets are the ones of interest.


Pitfall: you have to run klist from a non UAC elevated prompt. If you run klist in an UAC elevated prompt, you will get a list of tickets your user has inside that specific session. When doing a “run as administrator” for the cmd prompt, a new logon session is made.

Usage 2:”klist purge”: throw away all tickets of the current user


Usage 3: “klist –li 0x3e7” and “klist –li 0x3e7 purge”: allows you to list the tickets of a logon session specified as 0x3e7.

Why is this so special? On each machine 0x3e7 is the session of the machine (“Local System”) itself. How can this be interesting? Use the purge option and you have a way to refresh the group membership of a machine without having to reboot it! Which in turn can be useful for refreshing group policies based on group security filtering. Some references for this topic: topic at activedir.org and Picking up Computer Group Membership Changes without a Reboot.

An example of some tickets of a machine:


As an alternative Kerbtray can be used which is graphical. However it can only be used to show the tickets of the current logged in user. It is available through the Windows 2003 resource kit tools. I like this one on an USB stick when troubleshooting Kerberos issues on Windows XP workstations. Here you can see it on a Windows 2008 R2 server, still works without issues.


You can right click it and choose “List Tickets” or “Purge Tickets”. List Tickets show you the following:


So that’s it for today, next week another Tip will be posed.

Related Posts

No Response to "Kerberos Basic Troubleshooting: Tip 1"

Add Your Comment