WindowsXP/Solaris : incorrect key version number

Jacques Lebastard Jacques.Lebastard at
Wed Oct 6 12:47:22 EDT 2004

Douglas E. Engert wrote:

> Jacques Lebastard wrote:
>> Hi there,
>> a few days ago, I succeeded in running a SSPI/GSS-API client/server 
>> program between an XP workstation and a Solaris server. The server's 
>> keytab was generated using Windows 'ktpass' tool.
> Windows 2000 AD did not handle the kvno correctly and always used
> 1 or 0. 2003 does increment it each time it is changed. So you may
> have changed the number.
> Also when you use the ktpass, 2003 will update the password and kvno.

The last keytab generated by ktpass used kvno 10 for account's 
principal. Even though the server does use that keytab, 
gss_accept_sec_context fails.

Could it be that Windows SSPI keeps previous service tickets somewhere 
in caches with the previous kvno ? Is the kvno visible when using 
asn1dump on the GSS-API token ?

> If you have the MIT kerberos, you can verify the kvno in the AD
> by using kvno cvs/<hostname>@<realm> on the Solaris system.

Nope : "Solaris 9 kerberos" is in use.

> You can also get the kvno value by looking up the value of the
> "msDS-KeyVersionNumber" attribute of the account in Windows 2003 AD.

According to the AD schema, this attribute may be part of a 
securityPrincipal object. However, I cannot find any such object using 
LDAP browsers !
Mr. Jacques LEBASTARD            mailto:jacques.lebastard at
EVIDIAN S.A.           
Rue Jean Jaurès                  Tel: +33 1 30 80 77 86
F-78340 LES CLAYES SOUS BOIS     Fax: +33 1 30 80 77 99

More information about the Kerberos mailing list