[cifs-protocol] RE: KVNO of trusts

John Dunning johndun at microsoft.com
Wed Oct 8 16:31:20 GMT 2008

Hello Andrew,
   Thank you for your rewording suggestion. I have passed this information on to my Product Team.

I also have an answer to your question:

"What is the kvno if the client does not provide one in that structure, when it initially calls CreateTrustedDomainEx?  (I think it is -1)?"


If TRUST_AUTH_TYPE_VERSION  is missing, the key version # for that trust key in Kerberos protocol is not filled. In such a case, the Windows Kerberos will ignore the missing key version # field.
The key version (and the TRUST_AUTH_TYPE_VERSION field) is always present in Microsoft implementations to maximize interoperability.

Please let me know if this fully answers this question.

John Dunning
Senior Escalation Engineer Microsoft Corporation
Email: johndun at microsoft.com
Tele: (469)775-7008

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, October 03, 2008 12:04 PM
To: John Dunning
Cc: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: KVNO of trusts

On Thu, 2008-10-02 at 09:17 -0700, John Dunning wrote:
> Hello Andrew,
> We have concluded our investigation regarding this issue.
> Question: "How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?"
> Answer:
> The key version number of the trust password for a trust object is set
> by  making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section
>  request when the trust is created. It is incremented by 1
> each time the trust password is changed. The key version number can be
> determined at any time by making an LsarQueryTrustedDomainInfoByName
> request or parsing the trustAuthInfoIncoming/trustAuthInfoOutgoing
> attributes  using the information provided in MS-ADTS section
> and looking for an LSAPR_AUTH_INFORMATION structure with
> AuthType equal to  TRUST_AUTH_TYPE_VERSION (3).

Great.  What is the kvno if the client does not provide one in that structure, when it initially calls CreateTrustedDomainEx?  (I think it is -1)

> A change will be made to the [MS-ADA2]document section 2.235 Attribute msDS-KeyVersionNumber which will be similar to the following:
>       2.235 Attribute msDS-KeyVersionNumber For a given  user,
> computer or built-in account, this attribute specifies the Kerberos
> version number of the current key for that account. The Kerberos key
> version number for trusts is stored in the trusted domain object (TDO)
> whose object class is trustedDomain

Can i suggest a slight rewording:

For a trusted domain (objectClass trustedDomain), the Kerberos key version number is stored in the trusted domain object (TDO), embedded in the trustAuthIncoming and trustAuthOutgoing attributes.

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

More information about the cifs-protocol mailing list