Retreive the current Kerberos KVNO from Active Directory

Solution 1:

With PowerShell's AD Cmdlets it's possible to query for kvno:

get-aduser <username> -property msDS-KeyVersionNumber

Solution 2:

I'm incredulous as to whether KVNO has anything to do with your problem, OK maybe with Linux clients, but anyway, use Wireshark/Network Monitor:


Key Version Numbers are described in MS-KILE section

By the way, Mathias R. Jessen is correct in that in that Windows typically ignores KVNOs. But they are still implemented in an RFC-complaint way.

No, Windows does not pay attention to KVNO. It simply ignores it.

But the KVNO does have some significance in an RODC environment:

Some more info here:

In an environment with one or more RODCs authentication may fail when interacting with certain MIT based Kerberos devices in one of the following scenarios.

· The client is an MIT device which received a TGT from Windows KDC on RODC

· The client passes a TGT generated by Windows KDC on RODC to MIT Device which in turn uses the TGT to request a TGS on behalf of the calling user.

In both scenarios the TGT will have been issued by an RODC where the msDS-SecondaryKrbTgtNumber associated with the krbtgt account for that RODC will have a value greater than 32767.

Solution 3:

On linux you can use kvno command to retreive it from KDC

[[email protected] XXX]# kvno host/XXXX

host/[email protected]: kvno = 13

Solution 4:

dsquery * -filter sAMAccountName=Accountname -attr msDS-KeyVersionNumber

Solution 5:

Query from a AD joined linux server:

net ads search  -P  '(&(objectCategory=computer)(cn=HOSTNAME))'  msDS-KeyVersionNumber

replace HOSTNAME with your hostname.