Issues with keytab creation related to switch to w2k3 w/ ktutil

Sam Hartman hartmans at MIT.EDU
Wed Apr 7 09:31:47 EDT 2004

>>>>> "Nathan" == Nathan Neulinger <nneul at> writes:

    Nathan> Switch to pointing at a W2K3 domain controller - only
    Nathan> change is host used for ldap. New result - keytab
    Nathan> nonfunctional, get decrypt integ check failed, or pre-auth
    Nathan> failed if I try to auth with the keytab.

Windows 2003 supports a concept of kvno.  You should use the kvno
executable from MIT Kerberos to determine the kvno of the service
principal before constructing the keytab.

BTW, this question is really off-topic for this list and belonged on
kerberos at


More information about the krbdev mailing list