Kerberos Version Numbers (kvno), allow tickets issued with a computer's previous key to be decrypted even when the ticket was issued before the computer changed its password, but presented afterwards.
Windows 2000 does not support these kvnos, but you can enable this policy to generate version numbers that work with Windows 2000.
However, this feature requires Centrify's Kerberos libraries so older Kerberos applications may fail to understand the generated Kerberos version numbers. You can disable this policy to support older applications with the knowledge that the race condition just described may cause authentication failures.
This group policy modifies the krb5.generate.kvno setting in the Centrify DirectControl configuration file.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Centrify\CentrifyDC\Settings\Kerberos |
Value Name | krb5.generate.kvno |
Value Type | REG_SZ |
Enabled Value | true |
Disabled Value | false |
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Centrify\CentrifyDC\Settings\Kerberos |
Value Name | {number} |
Value Type | REG_DWORD |
Default Value |