Kerberos Tray (KerbTray.exe) (RK)

The Kerberos Tray tool lists all cached Kerberos tickets and allows you to view the tickets' properties as well as to purge tickets. This information may help in resolving problems with authentication and access to network resources. (If an AD-based computer has not obtained the initial ticket-granting-ticket (TGT) from a Kerberos Distribution Center (KCC) during the first logging on to the domain, or if the cached tickets have expired and haven't been renewed, the computer won't be authenticated to access the resources.) For Kerberos authentication to be performed successfully, you should ensure that all computers have time settings synchronized with a common time service (within five minutes of delta).

The tool starts in minimized mode, and you can find its icon on the system tray (in the right bottom corner of the screen). If you move the mouse cursor over the icon, the time left on the initial TGT will be displayed (Fig. 14.1; left).

Fig. 14.1: The Kerberos Tray tool displays the time left on the initial TGT before it expires (left); the tool's context menu (right) allows you to select an operation

If you double-click the icon or select the List Tickets command from the context menu (Fig. 14.1; right), the main tool's window will appear (Fig. 14.2). It displays all cached Kerberos tickets acquired upon/since the first user's logon.

Fig. 14.2: In this window, you can see the information about all cached tickets and their properties

The Purge Tickets command clears the entire ticket cache (thus, KerbTray differs from the Kerberos List tool, which is able to delete tickets selectively). No warnings are issued before clearing the cache, so be cautious! While the cache is empty, you may be prevented from being authenticated to resources, and a logoff/logon operation will be required.

Let us discuss the main ticket's properties, which are displayed by the tool.

• The Client Principal field contains the name of the current logon account. If the ticket cache is empty, this field displays the "No network credentials" message.

• All tickets obtained since logon are listed in the scrolling window. The properties of the selected ticket are displayed on the tabs below.

• The strings below the scrolling list contain the name of a security principal for the selected ticket. If the ticket time is over, the "Expired" string is displayed and no properties are shown on the tabs.

• The Names tab contains:

  • Client Name — requestor of the ticket. In most cases (while accessing resources in the current domain) this is the same name that is displayed in the Client Principal field.

  • Service Name — the security principal (account) name for the service. The samAccountName attribute of the account's directory object stores this name.

  • Target Name — one of the service names contained in the multi-valued servicePrincipalName attribute of the computer's directory object. This is the service name the ticket has been obtained for.

• The time when the ticket was obtained (Start time) and its expiration time (End time) are shown on the Times tab. Interpretation of the Flags tab requires a more profound understanding of Kerberos protocol. The Initial flag is set only for the ticket that was obtained without the TGT.