I often use openssl s_client to test and debug SSL connections (to LDAPS or HTTPS services). It allows me to isolate the problem down to SSL, without anything getting in the way.
I want to do something similar with Kerberos. I would like to use a small test, which would show :
- The initial machine logon (the computer account)
- The initial AS request from the user requesting a service
- The kerberos exchange of the user getting a ticket
- (optional) the request being sent to the service
I can do steps 1, 2 and 3 if I run Wireshark on a KDC, but it is usually not an option. I can manage to capture steps 2, 3 and 4 if I monitor trafic on the client.
Is there tool that would allow me to capture the every Kerberos login steps starting with the computer account, without running Wireshark on the KDC ?
I'll go ahead and submit my previous comments as an answer. I hope it's what the OP wanted.
As you already know, you can use klist.exe to purge your Kerberos tickets.
So fire up Wireshark and start a trace. Then purge your Kerberos tickets. Then in a command prompt, type
net stop netlogon & net start netlogon. (Or do something like try to access a network file share.) That will cause the computer to request new Kerberos tickets from the KDC/Domain Controller. Now stop your Wireshark trace. You have successfully captured a network trace containing the interaction between domain member and domain controller.Update: this answer is *nix specific and the question is about windows. Leaving it in for future reference, just in case.
You can use:
kdestroyto wipe out your old ticketskinitto request a TGTkvnoto request a ticket for a service, e.g.kvno host/$(hostname -f)Oh, and
klistdoes not let you purge the cache. It shows what tickets you have obtained.