Ulf Ekberg wrote: > > I've been using the ktpass command that came with the 2008 > distribution. While that ktpass command appears to read the > attribute to determine the kvno, it no longer increments the kvno > when you generate a keytab file. Looking at the msDS-KeyVersionNumber > attribute, it doesn't change after running ktpass, not even if > you explicitly specify /kvno on the ktpass command line. > > When asked about this possible problem with ktpass (at least, > it's a change from 2003), Microsoft just said that the ktpass > command isn't supported. > ktpass no longer changes the kvno when generating a keytab because it shouldn't. kvno should only change if a new key is generated. In general, the /kvno switch should just be ignored. It doesn't set the kvno in AD, it simply permits you to lie about the kvno in the keytab which is somewhat pointless. With the 2008 ktpass you can generate keytabs for each of the enctypes that Server 2008 supports so that all of the enctypes are available to services that rely on keytabs. ktpass is a rather crappy tool and in theory it can be replicated/replaced without the assistance of Microsoft. I don't know who you have been talking with at Microsoft but as far as the folks I talk to, ktpass is supported. They certainly have tried to fix enough bugs in it over the last year. Jeffrey Altman Secure Endpoints Inc.
S/MIME Cryptographic Signature