Recipe 14.17 Viewing and Purging Your Kerberos Tickets

14.17.1 Problem

You want to view and possibly purge your Kerberos tickets.

14.17.2 Solution

Both the kerbtray and klist utilities can be found in the Resource Kit.

14.17.2.1 Using a graphical user interface
  1. Run kerbtray.exe from the command line or Start Run.

  2. A new icon (green) should show up in the system tray (where the system time is located). Double-click on that icon. This will allow you to view your current tickets.

  3. To purge your tickets, right-click on the kerbtray icon in the system tray and select Purge Tickets.

  4. Close the kerbtray window and reopen it by right-clicking on the kerbtray icon and selecting List Tickets.

14.17.2.2 Using a command-line interface

Run the following command to list your current tickets:

> klist tickets

Run the following command to purge your tickets:

> klist purge

14.17.3 Discussion

Active Directory uses Kerberos as its preferred network authentication system. When you authenticate to a Kerberos Key Distribution Center (KDC), which in Active Directory terms is a domain controller, you are issued one or more tickets. These tickets identify you as a certain principal in Active Directory and can be used to authenticate you to other Kerberized services. This type of ticket is known as a ticket-granting-ticket, or TGT. Once you've obtained a TGT, the client can pass that to a Kerberized service and if the service accepts the ticket, it will issue a service ticket that represents the client for the particular service.

Kerberos is a fairly complicated system that cannot be done justice in a single paragraph. If you want more information on tickets and how the Kerberos authentication system works, see Kerberos:TheDefinitive Guide (O'Reilly).

14.17.4 See Also

RFC 1510 (The Kerberos Network Authentication Service V5), and MS KB 232179 (Kerberos Administration in Windows 2000)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List