Skip Menu |

Subject: klist doesn't display LSA TGTs
Unless HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
AllowTGTSessionKey is set (and this may not operate in recent
versions of Windows 10), klist will silently omit TGTs when
displaying an MSLSA ccache.

Leash gets around this by setting the KRB5_TC_NOTICKET flag on the
cache. This flag causes cc_mslsa.c to construct the creds structure
based solely on the KERB_TICKET_CACHE_INFO_EX2 metadata, and to
ignore the session key being all zeros. The resulting cred structure
does not contain an encoded ticket. I am not sure whether it would
be possible to retrieve the encoded ticket for a TGT in the LSA (that
is, does a KerbRetrieveEncodedTicketMessage
LsaCallAuthenticationPackage() call fail for these entries) or if all
we really needed to do was ignore the zeroed session key.

klist examines the decoded if the -e flag is specified, to get the
enctype of the ticket. It also displays the ticket field for config
entries. I am not sure whether storing config entries in an MSLSA
ccache works.