Tool starts iconified in the system tray.
Kerberos Tray is a GUI tool that displays ticket information for a computer running the Kerberos protocol.
The KerbTray icon is located in the status area of your desktop and can be used to view and purge the ticket cache. Positioning your mouse cursor over the KerbTray icon will display the time left on your initial ticket-granting ticket (TGT) before it expires. The icon will also change in the last hour of life before the Local Security Authority (LSA) renews the ticket.
Note
Your initial ticket-granting ticket (TGT) is the ticket you received when you first logged onto the Windows 2000 domain with your account.
Double-clicking will bring up a list of tickets you have obtained since logon. Right-clicking the icon will bring up a menu. Selecting List Tickets will display the same dialog as a double click.
The KerbTray dialog comprises the following sections:
| Names tab | |
|---|---|
| Option | Description |
| Client name | Requestor of the ticket. In most cases this is your client principal name. |
| Service name | Canonical name of the account principal for the service. This is the same as the samAccountName property in the directory for that account. A ticket-granting-ticket (TGT) is a ticket for the key distribution center (KDC) service. The "initial" TGT is the TGT that you got when you logged on for the domain with your account. The service name for a TGT is "krbtgt". |
| Target name | Service name the ticket was requested for. This is the name of a servicePrincipalName property on an account in the directory. |
| Times tab | |
|---|---|
| Option | Description |
| Start time | Time the ticket is valid from. |
| End time | Time the ticket is valid until. Once a ticket is past this time, it can no longer be used to authenticate to a service. |
| Renew until | If the ticket is a renewable ticket, then this is the maximum lifetime of the ticket. In order to continue using a ticket it must be renewed. Tickets must be renewed before both the End time and Renew until times expire. |
| Execution types tab | |
|---|---|
| Option | Description |
| Ticket Encryption Type | Encryption type used to encrypt the Kerberos ticket. |
| Key Encryption Type | Encryption type the enclosed session key will be used with. |
The following Kerberos ticket flags may be set:
| Flags tab | |
|---|---|
| Option | Description |
| Forwardable | This flag allows for authentication forwarding without requiring the user to enter a password again. |
| Forwarded | This flag is set by the ticket-granting service (TGS) when a client presents a ticket with the FORWARDABLE flag set and requests it be set by specifying the FORWARDED key distribution center (KDC) option and supplying a set of addresses for the new ticket. It is also set in all tickets issued based on tickets with the FORWARDED flag set. |
| Proxiable | This flag allows a client to pass a proxy to a server to perform a remote request on its behalf. When set, this flag tells the ticket-granting service (TGS) that it can issue a new ticket, but not a ticket-granting ticket (TGT), with a different network address based on this ticket. |
| Proxy | This flag is set in a ticket by the ticket-granting service (TGS) when it issues a proxy ticket. Application servers may check this flag and require additional authentication from the agent presenting the proxy in order to provide an audit trail. |
| May Postdate | This flag must be set in a ticket-granting ticket (TGT) in order to issue a postdated ticket based on the presented ticket. |
| Postdated | This flag indicates a ticket has been postdated. Postdated tickets provide a way to obtain these tickets from the key distribution center (KDC) at job submission time, but leave them "dormant" until they are activated and validated by a further request of the KDC. When the KDC issues a POSTDATED ticket, it will also be marked as INVALID, so that the application client must present the ticket to the KDC to be validated before use. |
| Invalid | This flag indicates the ticket is invalid (not valid). A postdated ticket will usually be issued in this form. Invalid tickets must be validated by the key distribution center (KDC) before use. Tickets are presented to the KDC in a ticket-granting server (TGS) request with the VALIDATE option specified. The KDC will only validate tickets after their starttime has passed. |
| Initial | This flag indicates the ticket was issued using the AS protocol and not issued based on a ticket-granting ticket (TGT). |
| Renewable | This flag allows the ticket holder to maintain a valid ticket for long periods of time. Renewable tickets have two "expiration times": the first is when the current instance of the ticket expires, and the second is the latest permissible value for an individual expiration time. |
| HW Authenticated | This flag provides additional information about the initial authentication, regardless of whether the current ticket was issued directly, in which case INITIAL will also be set, or issued on the basis of a ticket-granting ticket (TGT), in which case the INITIAL flag is clear. |
| Preauthenticated | This flag provides additional information about the initial authentication, regardless of whether the current ticket was issued directly, in which case INITIAL will also be set, or issued on the basis of a ticket-granting ticket (TGT), in which case the INITIAL flag is clear. |
| OK a delegate | This flag indicates that the server (not the client) specified in the ticket has been determined by policy of the realm to be a suitable recipient of delegation. Windows 2000 will only forward the user's credentials to services that are "ok as delegate". |
File Required
For More Information
See "Distributed Security" in the Windows 2000 Server Resource Kit Distributed Systems Guide.
See 
RFC-1510, The Kerberos Network Authentication Service (v5)