WindowsXP/Solaris : incorrect key version number

Douglas E. Engert deengert at
Wed Oct 6 11:50:31 EDT 2004

Jacques Lebastard wrote:
> Hi there,
> a few days ago, I succeeded in running a SSPI/GSS-API client/server 
> program between an XP workstation and a Solaris server. The server's 
> keytab was generated using Windows 'ktpass' tool.

Windows 2000 AD did not handle the kvno correctly and always used
1 or 0. 2003 does increment it each time it is changed. So you may
have changed the number.

Also when you use the ktpass, 2003 will update the password and kvno.

If you have the MIT kerberos, you can verify the kvno in the AD
by using kvno cvs/<hostname>@<realm> on the Solaris system.

You can also get the kvno value by looking up the value of the
"msDS-KeyVersionNumber" attribute of the account in Windows 2003 AD.

> I generated another keytab file using the same tool (with the same 
> parameters) and installed that keytab file on the server.
> Now, the server claims it cannot accept the token :
> gss_accept_sec_context: Invalid credential was supplied
> gss_accept_sec_context: Key version number for principal in key table is 
> incorrect
> I tried to generate another keytab file using the -kvno 1 option but to 
> no avail.
> What did I miss ?


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list