top of page

Get Information about cached Kerberos tickets on specific server.

  • Feb 15
  • 2 min read
Get cached Kerberos tickets

Often during troubleshooting or investigation there is a need to list cached Kerberos tickets on given machine. "klist sessions" makes it a breeze but output is fairly hard to read and might be a challenge to parse. Here is a nice little module to get information parsed and in PowerShell-friendly format. You're welcome


<#
.Synopsis
   Gathers Information about cached Kerberos tickets on specific server
.DESCRIPTION
   Gathers Information about cached Kerberos tickets on specific server.
.EXAMPLE
  .\Get-KerberosTickets.ps1 -username User1 -OnlyLegacyEncryption
  Get all cached tickets for username User1 and outputs only non-AES encrypted;
.EXAMPLE
  .\Get-KerberosTickets.ps1 -username User1
  Lists all cached tickets for username User1
.EXAMPLE
  .\Get-KerberosTickets.ps1 -OnlyLegacyEncryption
  Get all cached tickets and outputs only non-AES encrypted
#>

[CmdletBinding()]
param (
       [string]$UserName,
       [switch]$OnlyLegacyEncryption
      )

if (!([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
  {
   Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -NoNewWindow -File `"$PSCommanPath`"" -Verb RunAs
  }
$ErrorActionPreference = “silentlycontinue”
$report = @()
$i = 0
$Sessions = klist sessions
foreach ($session in $sessions)
       {
        $i++
        Write-Progress -Activity "Gathering cached tickets information.." -CurrentOperation "$i out of $($Sessions.count)"  -PercentComplete ($i/$sessions.count*100)
        If ($session.split(' ')[3] -like "0:0x*")
          {
           $SessionID = $session.split(' ')[3].Replace('0:','')
          }
      elseif ($session.split(' ')[3] -like "0x1:0x*")
          {
           $SessionID = $session.split(' ')[3].Replace('0x1:','')
          }
        $AuthenticationMethod = ($session.split(' ') | Select -Last 1).Split(':')[0]
        $Type = ($session.split(' ') | Select -Last 1).Split(':')[1]
        if (($session.ToCharArray() | ? {$_ -eq ' '} | Measure-Object).Count -eq '5')
          {
           $Identity = $session.split(' ')[4]
          }
    elseif (($session.ToCharArray() | ? {$_ -eq ' '} | Measure-Object).Count -gt '5')
          {
           $Identity = (($session.split(' ',5) | SElect -Last 1).split(' ') | ? {$_ -notlike "*:*"}) -join ' '
          }
       
       if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).identities.name -eq $Identity)
         {
          $ktickets = klist tickets
         } else {
          $ktickets = klist tickets -li $SessionID
         }
       
       if (($ktickets | Select-String "Client:" -Context 0,10).count -ge '1')
         {
          $tickets = $ktickets | Select-String "Client:" -Context 0,10
       foreach ($ticket in $tickets)
              {
               $ticket = $ticket -split "`r`n"
               $item = "" | Select SessionID,AuthenticationMethod,Type,Identity,Client,Server,EncryptionType,StartTime,EndTime,RenewTime,SessionKeyType,KDC
               $item.SessionID = $SessionID
               $item.AuthenticationMethod = $AuthenticationMethod
               $item.Type = $Type
               $item.Identity = $Identity
               $item.client = ($ticket[0].split(':')[1]).Trim()
               $item.server = ($ticket[1].split(':')[1]).Trim()
               $item.EncryptionType = ($ticket[2].split(':')[1]).Trim()
               $item.StartTime = ($ticket[4].split(':',2)[1]).Trim()
               $item.EndTime = ($ticket[5].split(':',2)[1]).Trim()
               $item.RenewTime = ($ticket[6].split(':',2)[1]).Trim()
               $item.SessionKeyType = ($ticket[7].split(':')[1]).Trim()
               $item.KDC = ($ticket[9].split(':')[1]).Trim()
             $report += $item
              } #end foreach
          } #end IF
       
    else {
               if ($ktickets -contains "Cached Tickets: (0)")
                  {
                   $Message = "No Cached Tickets"
                  }
           elseif ($ktickets[5] -like "*klist failed*")
                  {
                   $Message = $ktickets[3]
                  } 
               $item = "" | Select SessionID,AuthenticationMethod,Type,Identity,Client,Server,EncryptionType,StartTime,EndTime,RenewTime,SessionKeyType,KDC
               $item.SessionID = $SessionID
               $item.AuthenticationMethod = $AuthenticationMethod
               $item.Type = $Type
               $item.Identity = $Identity
               $item.Client = $Message
               $item.server = $Message
               $item.EncryptionType = $Message
               $item.StartTime = $Message
               $item.EndTime = $Message
               $item.RenewTime = $Message
               $item.SessionKeyType = $Message
               $item.KDC = $Message
            $report += $item
         } #end else
       }
Write-Progress -Activity "Gathering cached tickets information.." -Completed
$ErrorActionPreference = “Continue”


if ($UserName)
  {
   $report= $report | ? {$_.Identity -like "*$UserName*"}
  }
if ($OnlyLegacyEncryption)
      {
       $report = $report | ? {($_.EncryptionType -notlike "AES-*" -OR $_.SessionKeyType -notlike "AES-*") -AND $_.EncryptionType -ne "No Cached Tickets"}
      }
$report

References:

 
 
bottom of page