Kerberos - klist


The klist utility display the entries (tickets,..) in the local credentials cache and key table.



Usage: klist [[-c] [-f] [-e] [-a [-n]]] [-k [-t] [-K]] [name]
   name  name of credentials cache or  keytab with the prefix. File-based cache or keytab's prefix is FILE:.
   -c specifies that credential cache is to be listed
   -k specifies that key tab is to be listed
   options for credentials caches:
        -f       shows credentials flags
        -e       shows the encryption type
        -a       shows addresses
          -n       do not reverse-resolve addresses
   options for keytabs:
        -t       shows keytab entry timestamps
        -K       shows keytab entry key value
        -e       shows keytab entry key type

Usage: java -help for help.

MIT kerberos

Usage: klist [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
        -c specifies credentials cache
        -k specifies keytab
           (Default is credentials cache)
        -i uses default client keytab if no name given
        -l lists credential caches in collection
        -A shows content of all credential caches
        -e shows the encryption type
        -V shows the Kerberos version and exits
        options for credential caches:
                -d shows the submitted authorization data types
                -f shows credentials flags
                -s sets exit status based on valid tgt existence
                -a displays the address list
                        -n do not reverse-resolve
        options for keytabs:
                -t shows keytab entry timestamps
                -K shows keytab entry keys


Usage: klist.exe [command]

Command list:
  [tickets] [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  tgt [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  purge [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  sessions [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  kcd_cache [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
  get <SPN> [-lh <LogonId.HighPart>] [-li <LogonId.LowPart>]
            [-kdcoptions <options>] [-cacheoptions <options>]
  add_bind <DOMAIN> <DC>



klist -f
Credentials cache: C:\Users\gerard\krb5cc_gerard

Default principal: [email protected], 1 entry found.

[1]  Service Principal:  krbtgt/[email protected]
     Valid starting:     Jul 10,  2014 10:11:40
     Expires:            Jul 10,  2014 20:11:40
     Flags:              INITIAL;PRE-AUTHENT


Flags Description
F Forwardable
f forwarded
P Proxiable
p proxy
D postDateable
d postdated
R Renewable
I Initial
i invalid
H Hardware authenticated
A preAuthenticated
T Transit policy checked
O Okay as delegate
a anonymous

Discover More
Kerberos Ticket Manager Ticket Get
Kerberos - (Ticket|Credentials)

Kerberos credentials, or “tickets” are the credentials in Kerberos. There are only two different types for tickets that the KDC issues. Ticket Granting Ticket (TGT). The first ticket obtained is...
Kerberos - Diagnostic

When you want to diagnose a logon session for a user or a service, you can use the following command to find the LogonID that is used in other Klist windows commands.
Kerberos - Key Distribution Center (KDC)

Key Distribution Center. A machine that issues Kerberos tickets. The KDC is a service that should only be running on a domain controller. The service name is “Kerberos Key Distribution Center”. Basically...
Spn Active Directory
Kerberos - Service principal name

A service principal name is a principal for a service where: The service-class is a string and identifies the general class of service. Computers or machine accounts automatically get an SPN with a...
Kerberos - Windows

Kerberos management on Windows - installation and configuration The following tools obtain, list, and manage Kerberos tickets on Windows: kinit: You use the kinit tool and its options to...
Mit Kerberos Ticket Manager
Kerberos - ticket-granting ticket (TGT)

A ticket-granting ticket (TGT) is the first ticket obtained in a kerberos system. It's a special ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos realm. Under...
Wna Sso Kerberos Weblogic
OBIEE 11G - SSO Authentication with Windows Native Authentication (WNA)

This article will go through an SSO Authentication with Windows Native Authentication (WNA) and kerberos Weblogic is on a Unix machines A Windows 2000 (or later release) Server domain...

Share this page:
Follow us:
Task Runner