Generate Kerberos version numbers for Windows 2000

Kerberos Version Numbers (kvno), allow tickets issued with a computer's previous key to be decrypted even when the ticket was issued before the computer changed its password, but presented afterwards.

Windows 2000 does not support these kvnos, but you can enable this policy to generate version numbers that work with Windows 2000.

However, this feature requires Centrify's Kerberos libraries so older Kerberos applications may fail to understand the generated Kerberos version numbers. You can disable this policy to support older applications with the knowledge that the race condition just described may cause authentication failures.

This group policy modifies the krb5.generate.kvno setting in the Centrify DirectControl configuration file.

Supported on:

Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Kerberos
Value Namekrb5.generate.kvno
Value TypeREG_SZ
Enabled Valuetrue
Disabled Valuefalse

Skip items whose partial path matches

Registry PathSoftware\Policies\Centrify\CentrifyDC\Settings\Kerberos
Value Name{number}
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)