Kerberos Version Numbers (
kvno), allow tickets issued with a computer's previous key to be decrypted even when the ticket was issued before the computer changed it's password, but presented afterwords.
Windows 2000 does not support these
kvnos, but you can enable this policy to generate version numbers that work with Windows 2000.
However, this feature requires Centrify's Kerberos libraries so older Kerberos applications may fail to understand the generated Kerberos version numbers. You can disable this policy to support older applications with the knowledge that the race condition just described may cause authentication failures.
This group policy modifies the
krb5.generate.kvno setting in the agent configuration file.