klistKLIST Command Guide | Manage Kerberos Tickets in Windows (2026)
Master the klist command to view and purge Kerberos tickets. Learn how to troubleshoot Active Directory authentication with 10+ examples and expert tips.
The klist command (Kerberos List) is a fundamental diagnostic tool for Windows administrators and security professionals. It allows users to view, manage, and purge the Kerberos tickets currently cached by the local machine. In any Active Directory (AD) environment, Kerberos is the primary authentication protocol that provides secure, single sign-on (SSO) access to domain resources like file shares, databases, and internal web applications.
Understanding how to use klist is critical for troubleshooting "Access Denied" errors, resolving "Clock Skew" issues, and validating that a user has the appropriate group memberships represented in their service tickets. Beyond basic administration, klist is also a vital tool for security auditing and "purple teaming," as it helps identify potential "Pass-the-Ticket" or "Skeleton Key" attacks by revealing the details of cached credentials.
This comprehensive 2026 guide covers the full spectrum of klist functionality, from checking for a valid TGT (Ticket-Granting Ticket) to purging old tickets after a password change. We will provide more than 10 practical examples, detailed explanations of Kerberos terminology, and expert troubleshooting tips for identity and access management (IAM).
What is Kerberos Authentication?
Before diving into the klist command, it's essential to understand the core components of the Kerberos protocol. Kerberos works on a system of "tickets" to prove identity without passing passwords over the network.
- KDC (Key Distribution Center): The Domain Controller that issues tickets.
- TGT (Ticket-Granting Ticket): The initial ticket obtained after a successful login. It's used to request other "Service Tickets."
- TGS (Ticket-Granting Service): The part of the KDC that issues Service Tickets.
- Service Ticket: A ticket specifically used to access a particular resource (e.g.,
CIFS/Server01). - Ticket Cache: A memory-resident storage area where these tickets are kept for the duration of the user session.
The klist command is your window into this cache.
Syntax
The klist command follows a simple subcommand structure.
klist [tickets | tgt | purge | sessions | kcd_ent | get | add_binding | query_bind | delete_binding]
Common Subcommands
tickets: The most used subcommand. Lists all cached Service Tickets.tgt: Specifically displays your Ticket-Granting Ticket.purge: Deletes all cached tickets for the current session.sessions: Lists all active logon sessions on the machine (requires admin rights).get: Fetches a ticket for a specific service principal name (SPN).kcd_ent: Displays constrained delegation information.
Detailed Command Parameters
Subcommand: tickets
When you run klist tickets, it returns a detailed list of every resource you've accessed recently.
| Field | Description |
|---|---|
| Client | The user who owns the ticket (e.g., User01@DOMAIN.COM). |
| Server | The target resource (e.g., krbtgt/DOMAIN.COM). |
| KerbTicket Encryption Type | The algorithm used (e.g., AES-256-CTS-HMAC-SHA1-96). |
| Start/End/Renew Time | The timestamps for when the ticket is valid and when it expires. |
10 Practical Klist Command Examples
1. Listing All Cached Tickets
To see all the Kerberos tickets currently held by your user account:
klist tickets
Expect Output: A list showing the Client, Server, and Encryption Type for each ticket.
Explanation: Use this to verify you actually have an active domain session.
2. Viewing the TGT (Ticket-Granting Ticket)
To see your "Master Ticket" which allows you to get other tickets:
klist tgt
Explanation: If this command returns nothing, you are either logged in with a local account or your domain connection is broken.
3. Purging All Cached Tickets
When your permissions change (e.g., you were added to a new security group), you often need to clear your cache.
klist purge
Explanation: This forces the system to request brand new tickets with your updated "Privilege Attribute Certificate" (PAC) data next time you access a resource.
4. Fetching a Ticket for a Specific Service (SPN)
To proactively request an authentication ticket for a server without actually connecting to it:
klist get CIFS/FS01.domain.local
Explanation: This is excellent for testing if a specific server's Kerberos configuration is working correctly.
5. Listing All Active Logon Sessions
System administrators use this to see who else is logged into a server (Terminal Services, etc.).
klist sessions
Warning: This command requires administrative privileges to display sessions other than your own.
6. Checking Encryption Types
In security-hardened environments, you may want to ensure you aren't using weak encryption (RC4).
klist tickets | findstr /i "AES"
Explanation: Filters the output to show only tickets using modern, secure AES encryption.
7. Troubleshooting Kerberos Delegation
If you are using Kerberos Constrained Delegation (KCD):
klist kcd_ent
Explanation: Displays cached information regarding constrained delegation for the current computer.
8. Querying Specific Ticket Bindings (RPC)
For advanced network debugging:
klist query_bind
Explanation: Lists the RPC bindings that the Kerberos client uses to communicate with the KDC.
9. Deleting a Specific Binding
If a specific RPC target is problematic:
klist delete_binding /computer:DC01
Explanation: Clears the stored binding information for the specified domain controller.
10. Combining Klist with Whoami for Full Context
To get a full picture of your identity and its associated tickets:
whoami /groups && klist tickets
Explanation: Shows your AD group memberships alongside your actual cached authentication tokens.
Common Use Cases for Klist
1. Resolving Authentication Delays
If a user experiences delays when accessing a specific file share, klist tickets can show if the system is constantly re-requesting a ticket because of an expired TGT or a mismatch in the server SPN.
2. Validating Group Membership Changes
In Active Directory, adding a user to a group is "immediate" in the database, but the user's ticket won't reflect it until it expires or is purged. klist purge is the standard tool to force an update without logging off.
3. Identifiying Kerberos vs. NTLM
If klist tickets shows no entry for a server you are connected to, it usually means you've "fallen back" to NTLM authentication, which is less secure and may indicate DNS or SPN issues.
4. Security Incident Response
During a "Pass-the-Ticket" investigation, responders use klist sessions to look for suspicious or orphaned logon sessions that shouldn't be active on the system.
Troubleshooting Common Issues
Issue 1: "Server not found" or "Principal Name not found"
Cause: The service principal name (SPN) is not registered in Active Directory, or there is a DNS mismatch.
Solution: Check the SPN with setspn -L <servername> and ensure DNS resolution matches the name you are using.
Issue 2: "KDC has no support for encryption type"
Cause: Trying to use AES on a legacy domain controller (2003) or a mismatch in the local security policy. Solution: Ensure both client and server are configured to support modern encryption like AES-256 in their local GPO.
Issue 3: "Clock skew too great"
Cause: The local machine's time is more than 5 minutes different from the Domain Controller's time.
Solution: Use w32tm /resync to synchronize your clock with the domain controller.
Issue 4: "klist purge" doesn't fix the issue
Cause: The new group membership hasn't replicated to the DC you are talking to, or the target service doesn't use Kerberos. Solution: Wait for AD replication or check the target service's authentication settings.
Related Commands
SETSPN – SPN Manager
Used to register and query Service Principal Names, which are required for klist to work correctly.
NSLOOKUP – DNS Checker
Since Kerberos relies heavily on DNS, nslookup is the first tool to use when klist shows "KDC not found" errors.
W32TM – Time Service
Essential for fixing "Clock skew" errors that prevent Kerberos tickets from being issued.
Tips and Best Practices
- Check Your TGT First: If you have no TGT, no other tickets will work. Always run
klist tgtas your first troubleshooting step. - Always Purge After Changes: If you've been added to an AD group, run
klist purgeto avoid waiting 10 hours for a ticket refresh. - Admin Privileges for Sessions: Remember that
klist sessionsonly shows YOUR session unless you run as Administrator. - Look for AES-256: If you see
RC4-HMAC, warn your security team, as this is a weak encryption type prone to "Kerberoasting." - DNS is Key: 90% of Kerberos issues are actually DNS issues. Ensure your
klist getcalls a Full Qualified Domain Name (FQDN). - Automation Scripts: Use
klist purgein batch scripts before launching applications that require the very latest AD permissions. - Verify SPN Mapping: Use
setspn -Qif you suspect a duplicate SPN is causing "Ticket expired" or "Duplicate principal" errors. - Understand Ticket Lifetimes: By default, tickets last 10 hours and are renewable for 7 days. Check the
Renew Timeto see if your TGT is nearing expiration. - Check for "Pass-the-Hash" tools: If you see tickets belonging to users who shouldn't be on the system, investigate immediately.
- Service Account Identity: If you are troubleshooting a service failure, run
klistin the context of that service account usingpsexec -s cmd.
Frequently Asked Questions
What does klist stand for?
klist stands for "Kerberos List." It's a Windows implementation of a tool originally found in the MIT Kerberos distribution.
How do I clear my Kerberos cache?
Use the command klist purge. This safely deletes all active tickets without affecting your user profile.
Why do I see a krbtgt ticket?
The krbtgt ticket is your Ticket-Granting Ticket (TGT). It's the "master" ticket that the system uses to get other specific service tickets.
Does klist work without a domain?
No, the klist command is designed for use in Active Directory environments that use the Kerberos protocol. On a standalone PC with local accounts, it will return nothing.
Can I use klist to see someone else's tickets?
Only if you have administrative privileges and use the klist sessions and specialized tools to impersonate their session. Normally, klist is user-specific for security reasons.
What is a "Service Principal Name" (SPN)?
An SPN is a unique identifier (like HTTP/myserver.com) that allows the Kerberos client to find the correct service account in Active Directory to authenticate against.
Does klist provide password information?
No, klist only shows metadata about the tickets (who, what, when, and encryption). It never displays cleartext passwords or sensitive key data.
Is klist part of PowerShell?
No, klist.exe is a standalone command-line executable. However, you can easily call it from any PowerShell window.
Quick Reference Card
| Action | Command |
|---|---|
| List all tickets | klist tickets |
| View master TGT | klist tgt |
| Clear all tickets | klist purge |
| See all logon sessions | klist sessions |
| Fetch a specific ticket | klist get <SPN> |
| Help/Extended info | klist /? |
Summary
The klist command is an indispensable window into the soul of your Windows identity. By providing visibility into the cached Kerberos tickets, it empowers administrators to diagnose authentication failures, confirm group deployments, and audit the security of their environment.
Whether you're fixing a single "Access Denied" error or securing an entire forest against credential theft, mastering the klist command is a vital skill. Remember to always start by checking your TGT, and don't hesitate to purge when AD changes aren't taking effect. With klist in your toolbox, you have the diagnostic clarity needed to manage modern Windows authentication with speed and confidence.