6893158 introduced kvno (key version number) check in AP-REQ parsing. This is a correct behavior but might cause interop/compatibility problems if the server uses a keytab with wrong kvno values. In fact, our vey own ktab.exe tool included in JDK can generate such keytab files because it does not know what the correct kvno is. (Other keytab generation tools like the kadmin or ktpass know the correct kvno because they need to connect to the KDC to work, but ktab.exe is a completely standalone tool)

Through 6984764, we've updated the ktab.exe tool so that user can specify the correct kvno on the command line, or specify it as 0 if it's unknown (0 will be accepted by the check). However, first it's quite difficult to find out the correct kvno. Second, there are old kaytab files that just contain wrong kvno.

This fix intends to add a fallback to the kvno checking, that when no key with matched kvno can be found, we will return the key of the same etype with the highest kvno, hoping it's the last one added to the keytab and therefore likely to be also the latest.