kinit request on keytab fails using 2K3sp1 KDC

Jeffrey Altman jaltman2 at
Wed Mar 22 20:10:46 EST 2006

Richard E. Silverman wrote:
>>>>>> "TA" == "Tim Alsop" <Tim.Alsop at> writes:
>     TA> It seems that the sp1 version of ktpass stores a key with a
>     TA> specific kvno in the keytab file, and the kvno in the domain
>     TA> controller for the same principal is different. This is why you
>     TA> cannot use the keytab file to authenticate.
> Yes; it always sets the kvno in the keytab it writes to 1, regardless of
> the value in the KDB (which of course changes each time the key is
> extracted).  So, you can only use the keytab the first time you extract
> it.  If you have to do it again, just delete the principal and re-create
> it.

ktpass allows you to specify the kvno on the command line.
You can obtain the kvno for the service principal with the MIT kvno utility.

Jeffrey Altman

More information about the Kerberos mailing list