We are setting up SSO for our web application for the client, but, unfortunately, we do not have access to the domain controller (another reason why we do not do any more experiments to verify our assumptions). So, we asked to run ktpass.exe and prepare the .ktpass file for use in our server configuration.
The problem we are facing is "the specified key version is not available."
I looked at the keytab file (knvo = 5) and checked the traffic from Wireshark on our web server: 
As you can see, kvno = 1 in the AP-REQ ticket. I believe this is the right ticket to check the kvno version.
I know that compatibility problems with the Windows 2000 domain ( /kvno 1 should be used for compatibility with the Windows 2000 domain), but we are talking about working with the Windows 2008R2 server (and I can see the value msDS-Behavior-Version = 4 for our domain controller which corresponds to 2008R2!).
Is there something like the W2K domain mode we are facing?
Can explicit kvno = 1 help solve the problem? Ie, ktpass.exe [..] /kvno 1
EDIT # 1
The problem was an incorrectly defined SPN. This was HTTP / computer_name@DOMAIN.COM instead of using the fully qualified domain name. This will only work if WINS is enabled, but it turns out that it is not.
After generating keytab with the correct SPN, everything works fine, and kvno is sent according to the actual account value.
An answer will be kindly received explaining the effect that I observed.
source share