September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
14.17. Viewing and Purging Your Kerberos Tickets
Problem
You want to view and possibly purge your Kerberos tickets.
Solution
Both the kerbtray and klist
utilities can be found in the Resource Kit.
Using a graphical user interface
Run
kerbtray.exefrom the command line or Start → Run.A new icon (green) should show up in the system tray (where the system time is located). Double-click on that icon. This will allow you to view your current tickets.
To purge your tickets, right-click on the
kerbtrayicon in the system tray and select Purge Tickets.Close the
kerbtraywindow and reopen it by right-clicking on thekerbtrayicon and selecting List Tickets.
Using a command-line interface
Run the following command to list your current tickets:
> klist tickets
Run the following command to purge your tickets:
> klist purge
Discussion
Active Directory uses Kerberos as its preferred network authentication system. When you authenticate to a Kerberos Key Distribution Center (KDC), which in Active Directory terms is a domain controller, you are issued one or more tickets. These tickets identify you as a certain principal in Active Directory and can be used to authenticate you to other Kerberized services. This type of ticket is known as a ticket-granting-ticket, or TGT. Once you’ve obtained a TGT, the client can pass that to a Kerberized service and if the service accepts the ticket, it will issue a service ticket that represents the client for the particular service.
Kerberos is a fairly complicated system ...