Windows 2003 and kvno in tickets

Jeffrey Hutzelman jhutz at cmu.edu
Wed Jan 14 17:49:42 EST 2004



On Wednesday, January 14, 2004 16:22:09 -0600 "Douglas E. Engert" 
<deengert at anl.gov> wrote:

>
> We recently upgraded one of our Windows AD servers to 2003. We have a
> number of service principals registered in AD which are for services run
> on UNIX. Some users where having problems using these services.
>
> It appears that 2003 AD now supports key version numbers in tickets. The
> upgraded server is issuing tickets with kvnos other then zero, while the
> others are always using zero.
>
> It is not clear where it got the kvno to use, as the entries where all
> added  prior to the upgrade, and I don't recall entring in these kvnos in
> the ktpass  command when we defined these principals.
>
> We have not found the AD command to look at what kvno is in the AD.
> Anyone know the command?

No, but you should be able to use 'kvno' or 'kgetcred' followed by 'klist 
-v' to get a service ticket and display the kvno used in that ticket.

-- Jeff


More information about the Kerberos mailing list