Hi All In Java, the Kerberos acceptor reads one key for each etype from a keytab file at the very beginning. When there are multiple keys with the same etype for a service principal in the keytab, we have to choose one of them. We used to choose the one which appears last, but have changed to choose the one with the highest kvno recently. However, it seems both are breaking apps out there in this or that customer's environment.
My question is: does a new key always have a higher kvno than the older one? I know there's also a timestamp in the keytab file. Is choosing the latest timestamp a better choice? If no one is guaranteed correct, we'll have to read all keys and choose the correct one at runtime according to the kvno field in the EncryptedData received. This approach should be the best one but is quite different from our current one-key-per-etype policy. Before making this change, I'd like suggestions from you. Thanks Max
