Generate Kerberos version numbers for Windows 2000

Kerberos Version Numbers (kvno), allow tickets issued with a computer's previous key to be decrypted even when the ticket was issued before the computer changed its password, but presented afterwards.

Windows 2000 does not support these kvnos, but you can enable this policy to generate version numbers that work with Windows 2000.

However, this feature requires Centrify's Kerberos libraries so older Kerberos applications may fail to understand the generated Kerberos version numbers. You can disable this policy to support older applications with the knowledge that the race condition just described may cause authentication failures.

This group policy modifies the krb5.generate.kvno setting in the Centrify DirectControl configuration file.

Supported on:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Kerberos
Value Namekrb5.generate.kvno
Value TypeREG_SZ
Enabled Valuetrue
Disabled Valuefalse

Skip items whose partial path matches

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Kerberos
Value Name{number}
Value TypeREG_DWORD
Default Value

centrifydc_settings.admx

Administrative Templates (Computers)

Administrative Templates (Users)