Issue with kvno
Nico Williams
nico at cryptonector.com
Mon Jun 1 18:45:57 EDT 2015
On Mon, Jun 01, 2015 at 02:11:32PM -0400, Benjamin Kaduk wrote:
> On Fri, 29 May 2015, vishal wrote:
> > My question is that why kvno is not always present in ticket and this
> > ticket is basically which comes in TGS-RESP(from home domain) and sname is
> > krbtgt for trusted domain in TGS-REQ.
> The kvno field in the ASN.1 EncryptedData type is an optional field, used
> to assist the recipient in selecting which key to use to decrypt the data.
The kvno is not required, therefore it may be missing. Active Directory
does not keep track of key version numbers, which is why you see kvno
missing when using AD.
When a service gets an AP-REQ with a Ticket that has no kvno, then the
service has to do something like:
- try the newest kvno
and/or
- try every key with the same enctype
Actually, one has to do the latter because of key rollover and KDC
replication latency issues.
That AD does not keep track of key history is mostly not a problem,
except for changing cross-realm keys. For cross-realm key rollover the
lack of key history basically necessitates an outage.
Nico
--
More information about the Kerberos
mailing list