Retreive the current Kerberos KVNO from Active Directory
With PowerShell's AD Cmdlets it's possible to query for kvno:
get-aduser <username> -property msDS-KeyVersionNumber
I'm incredulous as to whether KVNO has anything to do with your problem, OK maybe with Linux clients, but anyway, use Wireshark/Network Monitor:
Key Version Numbers are described in MS-KILE section 18.104.22.168.
By the way, Mathias R. Jessen is correct in that in that Windows typically ignores KVNOs. But they are still implemented in an RFC-complaint way.
No, Windows does not pay attention to KVNO. It simply ignores it.
But the KVNO does have some significance in an RODC environment:
Some more info here: https://web.archive.org/web/20150204183217/http://support.microsoft.com/kb/2716037
In an environment with one or more RODCs authentication may fail when interacting with certain MIT based Kerberos devices in one of the following scenarios.
· The client is an MIT device which received a TGT from Windows KDC on RODC
· The client passes a TGT generated by Windows KDC on RODC to MIT Device which in turn uses the TGT to request a TGS on behalf of the calling user.
In both scenarios the TGT will have been issued by an RODC where the msDS-SecondaryKrbTgtNumber associated with the krbtgt account for that RODC will have a value greater than 32767.
On linux you can use kvno command to retreive it from KDC
[[email protected] XXX]# kvno host/XXXX host/[email protected]: kvno = 13
dsquery * -filter sAMAccountName=Accountname -attr msDS-KeyVersionNumber
Query from a AD joined linux server:
net ads search -P '(&(objectCategory=computer)(cn=HOSTNAME))' msDS-KeyVersionNumber
replace HOSTNAME with your hostname.