Kerberos 1.7 and later does not interoperate with AD Read-only DCs

Nico Williams nico at
Wed Feb 29 18:37:58 EST 2012

How does this come up?  Via forwarded TGTs with these weird kvnos in
their enc-part's EncryptedData?

Also, we're not changing the definition for kvno anywhere else, correct?

Finally: do we have to make sure that kvnos for MIT principals never
get larger than 2^31 - 1?


More information about the krbdev mailing list