[cifs-protocol] RE: KVNO of trusts

John Dunning johndun at microsoft.com
Thu Oct 2 16:17:04 GMT 2008

Hello Andrew,

We have concluded our investigation regarding this issue.

Question: "How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?"

The key version number of the trust password for a trust object is set by  making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section  request when the trust is created. It is incremented by 1 each time the trust password is changed. The key version number can be determined at any time by making an LsarQueryTrustedDomainInfoByName  request or parsing the trustAuthInfoIncoming/trustAuthInfoOutgoing attributes  using the information provided in MS-ADTS section and looking for an LSAPR_AUTH_INFORMATION structure with AuthType equal to  TRUST_AUTH_TYPE_VERSION (3).

A change will be made to the [MS-ADA2]document section 2.235 Attribute msDS-KeyVersionNumber which will be similar to the following:

      2.235 Attribute msDS-KeyVersionNumber
For a given  user, computer or built-in account, this attribute specifies the Kerberos version number of the current key for that account. The Kerberos key version number for trusts is stored in the trusted domain object (TDO) whose object class is trustedDomain

  cn: ms-DS-KeyVersionNumber
  ldapDisplayName: msDS-KeyVersionNumber
  attributeId: 1.2.840.113556.1.4.1782
  omSyntax: 2
  isSingleValued: TRUE
  schemaIdGuid: c523e9c0-33b5-4ac8-8923-b57b927f42f6
  systemOnly: TRUE
  searchFlags: 0

Version-Specific Behavior: Implemented on Windows Server 2003, Windows Server 2003 R2, and Windows Server 2008.

The schemaFlagsEx attribute was added to this attribute definition in Windows Server 2008.

Please let me know if this fully answers this issue.

John Dunning
Senior Escalation Engineer Microsoft Corporation
Email: johndun at microsoft.com
Tele: (469)775-7008

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, September 02, 2008 11:13 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: KVNO of trusts

How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?

For normal users, we have msDS-KeyVersionNumber, but as per our previous discussions, trusts do not need cn=user type objects for interoperability (I point I dispute, but regardless).  So, what is the source of the key version number for these principals?

(Is it the 'for NETLOGON use' version number in the trustAuthIncoming and trustAuthOutgoing attributes, for example?)


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list