Product: TIBCO Spotfire®
List All Cached Kerberos Tickets
When administering or troubleshooting authentication in a domain, there are times when you need to know whether a ticket for a user and service has been cached on a computer. Kerberos delegation scenarios are good candidates for that, since a middle tier or ‘trusted for delegation’ server will cache tickets which have been passed to it.
Each identity--whether it is a computer, user or service--has its own Kerberos cache. Klist.exe, a tool which is included in the operating system for versions Windows 2008/Vista and later, allows users to view Kerberos tickets for any session if you know the LogonId of that user.
The Windows 8 / Windows Server 2012 and later version of Klist.exe will give you a list of the sessions and LogonIds to query for; however, the older Klist.exe will not.
If an administrator needs to know what tickets are definitively cached on a particular computer, they can run this script. To run the attached script (Filename: GetKerbTix.ps1), launch the Windows PowerShell as an administrator and type the following:
Note: If you encounter an error that says
'script cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.'
then execute the following command first in the PowerShell window:
set-executionpolicy remotesigned (Type in YES and press enter to confirm)
This script requires administrator privileges to run.
The script will display Kerberos ticket granting tickets as well as service tickets.
The script will give session information such as username, type of logon session, and LogonID if available.
The session 0x3e7 is the local system, also known as the computer account, session.
The session 0x3e4 is the network service session, a less privileged session of the local system identity.
The script will run on Windows Server 2008/Vista and later.
The script displays all ticket information to the PowerShell console.
The script also exports the results to a file named %computername%_CachedKerberosTickets.txt. The file is located in the c:\windows\temp directory by default.
WARNING: This script is simply a wrapper for the included OS tool Klist.exe. The script simply loops through each known SessionID and attempts to dump the Kerberos cache from that session.
There is a known bug in Klist.exe where the list of some Kerberos ticket caches will throw a popup error if there is a "stale" Kerberos session--a very old session that is referenced as a logon session but is actually missing. This is the same error you would see if you ran "Klist.exe -session" against that stale session.
On long running servers (busy and haven't been rebooted for a while) there may be MANY stale sessions, resulting in repeated annoying popups from Klist.exe.