Retreive the current Kerberos KVNO from Active Directory
Solution 1:
I'm incredulous as to whether KVNO has anything to do with your problem, OK maybe with Linux clients, but anyway, use Wireshark/Network Monitor:
Key Version Numbers are described in MS-KILE section 3.1.5.8.
By the way, Mathias R. Jessen is correct in that in that Windows typically ignores KVNOs. But they are still implemented in an RFC-complaint way.
https://docs.microsoft.com/en-us/archive/blogs/openspecification/to-kvno-or-not-to-kvno-what-is-the-version
No, Windows does not pay attention to KVNO. It simply ignores it.
But the KVNO does have some significance in an RODC environment:
https://docs.microsoft.com/en-us/archive/blogs/openspecification/notes-on-kerberos-kvno-in-windows-rodc-environment
Some more info here: https://web.archive.org/web/20150204183217/http://support.microsoft.com/kb/2716037
In an environment with one or more RODCs authentication may fail when interacting with certain MIT based Kerberos devices in one of the following scenarios.
· The client is an MIT device which received a TGT from Windows KDC on RODC
· The client passes a TGT generated by Windows KDC on RODC to MIT Device which in turn uses the TGT to request a TGS on behalf of the calling user.
In both scenarios the TGT will have been issued by an RODC where the msDS-SecondaryKrbTgtNumber associated with the krbtgt account for that RODC will have a value greater than 32767.
Solution 2:
With PowerShell's AD Cmdlets it's possible to query for kvno:
PS> import-module ActiveDirectory
^^^ if this fails, find a Windows server where it is installed
PS> get-aduser <username> -property msDS-KeyVersionNumber