When troubleshooting Kerberos authentication, an essential tool to start with has been KLIST for some time now (since Windows Vista and Windows 2008). It is a powerful tool. It not only can display user's own ticket cache. It can also display Kerberos ticket caches of any arbitrary logon session you know an ID of.
Basically, the term logon session means an in-memory representation (LSA process memory) of a logged on user or service account. Kerberos tickets are always associated with a certain logon session, thus belonging to a specific user or service account. If you want to see the tickets another user account has in its ticket cache, you must first determine the number/ID of its logon session.
Among logon sessions of other users and service accounts, there are some generally important default builtin logon sessions to look at as well. These include SYSTEM's own logon session or that of NETWORK SERVICE. We are not interested in LOCAL SERVICE's logon session as it cannot use Kerberos at all.
The default built-in logon sessions are always assigned the same logon session ids while other logon sessions receive random IDs. If you know, for example, that logon session id of SYSTEM is always 3E7, you can list its Kerberos ticket cache with the following command:
The default logon session IDs are listed in the following table. Note that klist -li parameter requires hexadecimal numbers as an input:
| SYSTEM |
3e7 |
999 |
| NETWORK SERVICE |
3e4 |
996 |
| LOCAL SERVICE |
3e5 |
997 |
| IUSR |
3e3 |
995 |
For other logged on user accounts and service identities, you must determine the logon session id dynamically. You can use command line or PowerShell:
wmic logon assoc /resultclass:win32_account
gwmi Win32_LogonSession | % { $one = $_ ; $one.GetRelated('Win32_Account') | Select Domain, Name, SID, @{ n = 'LogonSessionHEX' ; e = { '0x{0:X}' -f ([int] $one.LogonId) } }, @{ n = 'LogonSessionDEC' ; e = { $one.LogonId } } , @{ n = 'LogonType' ; e = { $one.LogonType } } }
Note that the output of the PowerShell command displays both hexadecimal and the decimal representation of the logon id. The PowerShell command also displays the type of the logon session. Logon types are listed in the following table. It can be used to distinguish between different types of logon sessions of the same account or in general.
| Interactive |
2 |
Logon locally |
|
| Network |
3 |
Access this computer from network |
|
| Batch |
4 |
Logon as a batch job |
|
| Service |
5 |
Logon as a service |
|
| Unlock |
7 |
|
this will not appear among the logon types of any logon session. This logon type ID is only used in logon/logoff auditing category and appears in the Security event log if you have the auditing enabled |
| NetworkCleartext |
8 |
Access this computer from network |
used by logon sessions started from a network and authenticated with Basic or LDAP simple bind authentication protocols |
| NewCredentials |
9 |
|
|
| RemoteInteractive |
10 |
Access this computer through Remote Desktop Services |
|
| CachedInteractive |
11 |
Logon locally |
|
| CachedRemoteInteractive |
12 |
Access this computer through Remote Desktop Services |
|
| CachedUnlock |
13 |
|
|