Issue with kvno
Benjamin Kaduk
kaduk at MIT.EDU
Mon Jun 1 14:11:32 EDT 2015
On Fri, 29 May 2015, vishal wrote:
> My question is that why kvno is not always present in ticket and this
> ticket is basically which comes in TGS-RESP(from home domain) and sname is
> krbtgt for trusted domain in TGS-REQ.
>
> I see kvno only when new trust is created between domain and we join to
> domain. So under what situation kvno would be there in ticket?
>
> I hope it is clear.
I guess it's clear enough, for the answer "we don't know".
The kvno field in the ASN.1 EncryptedData type is an optional field, used
to assist the recipient in selecting which key to use to decrypt the data.
Given that the Microsoft KDC is generating this EncryptedData, we probably
would only know when it includes the kvno by examining its source code,
which is unavailable.
-Ben
More information about the Kerberos
mailing list