Re: Reset password on 'krbtgt' account?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/03/05 

Date: Wed, 2 Feb 2005 23:19:10 -0600

It is already managed by the operating system and would be very long and
complex and I would not recommend changing it and if you did it would
probably be a lot weaker than what the operating system gives it since that
password is used to derive secret keys for kerberos. Below is a bit of info
I found out about it. --- Steve

*********************************************************************

The security principal name used by the KDC in all Windows 2000 domains is
krbtgt, as specified by RFC 1510. An account for this security principal is
created automatically when a new Windows 2000 domain is created. The account
cannot be deleted, nor can the account name be changed. A password is
assigned to the KDC's account automatically; this password, like the
passwords assigned to domain trust accounts, is changed on a regular
schedule. The password for the KDC's account is used to derive a secret key
for encrypting and decrypting the TGTs that the KDC issues. The password for
a domain trust account is used to derive a Kerberos inter-realm key for
encrypting and decrypting referral tickets

"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:%23V7PsCVCFHA.2572@tk2msftngp13.phx.gbl...
> We noticed that in our Child Domain (part of an Active Directory Forest),
> that the 'krbtgt' account is Disabled. Can we safely Reset the Password
> on this account to something long and complex?
>
>
>
>

Relevant Pages

  • Re: Reset password on krbtgt account?
    ... I have only seen that account disabled - never enabled. ... krbtgt" it shows on my servers that the password was set in 2003 or 2004 ... >> that password is used to derive secret keys for kerberos. ... >> password, like the passwords assigned to domain trust accounts, is ...
    (microsoft.public.windows.server.security)
  • Re: Windows 2000 User Settings
    ... Administrators can perform any and all functions supported by the operating system. ... Any right that the administrator does not have by default, ... Install the operating system and components. ... to use a "personal" computer with any less than a Power User account. ...
    (microsoft.public.win2000.general)
  • Re: Virus detected in deleted user account
    ... Where are the files located as in the path - under documents and settings?? ... events reference the mystery user account. ... If the operating system was not ... is the scan of a 'deleted user account'. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: QueryInterface for interface xxx.yyy failed
    ... Studio automatically created the RCW wrapper called "interop.COM". ... Change the account that the Aspnet_wp.exe process runs under to the ... a different operating system, and runs under a different network domain, we ... Attempted to impersonate an domain administrator account that has full ...
    (microsoft.public.dotnet.framework.interop)
  • Re: Password is TOO long
    ... caplocks weren't on etc and the login failed each time. ... tried Jan's (operating system saving) tip, ... The computer manufacture said that re-installing ... My Media Center 2005 computer came with one account labeled ...
    (microsoft.public.windows.mediacenter)