WindowsXP/Solaris : incorrect key version number

Douglas E. Engert deengert at
Thu Oct 7 10:41:13 EDT 2004

Jacques Lebastard wrote:
> Douglas E. Engert wrote:

>>> Could it be that Windows SSPI keeps previous service tickets 
>>> somewhere in caches with the previous kvno ?
>> Yes you as a user or client have a ticket cache. There is a MS program
>> called kerbtray, which you can use to see what tickets you have.
> That's the tool I missed. I used it to purge the ticket cache on the 
> client workstation, generated a new keytab on the 2003 ADS, installed it 
> on the Solaris server host, restarted the server application.
> Now gss_accept_sec_context works fine !

In theory to allow for a smooth change of keys, a key should be added to
the server's keytab, before the key is updated in the KDC.  So a principal
could at times have two keys each with different kvno for the same principal.
The server can then accept tickets encrypted in either the old or new key.
Then when the max lifetime for any cached tickets has passed, the old key
can be removed from the server's keytab.

It sounds like your problem was you where replacing the key in the keytab
but you still had cached tickets using the old key.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list