Windows 2003 and kvno in tickets
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Jan 14 17:49:42 EST 2004
On Wednesday, January 14, 2004 16:22:09 -0600 "Douglas E. Engert"
<deengert at anl.gov> wrote:
>
> We recently upgraded one of our Windows AD servers to 2003. We have a
> number of service principals registered in AD which are for services run
> on UNIX. Some users where having problems using these services.
>
> It appears that 2003 AD now supports key version numbers in tickets. The
> upgraded server is issuing tickets with kvnos other then zero, while the
> others are always using zero.
>
> It is not clear where it got the kvno to use, as the entries where all
> added prior to the upgrade, and I don't recall entring in these kvnos in
> the ktpass command when we defined these principals.
>
> We have not found the AD command to look at what kvno is in the AD.
> Anyone know the command?
No, but you should be able to use 'kvno' or 'kgetcred' followed by 'klist
-v' to get a service ticket and display the kvno used in that ticket.
-- Jeff
More information about the Kerberos
mailing list