Re: Reset password on 'krbtgt' account?

From: Research Services (key_at_lamar.n0-sp@m.colostate.edu.NO)
Date: 02/04/05 

Date: Thu, 3 Feb 2005 17:02:59 -0700

Thank you for the information. The reason we asked is that the last time
the password was changed was the day we joined the Active Directory Forest
(back in Summer 2000).
I am a bit disturbed if the krbtgt password is supposed to be changed
automatically as it appears that it isn't...
Perhaps it only gets changed if the account is being used? As mentioned,
our 'krbtgt' account is displaying as Disabled in our Child Domain.

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:evYRA$aCFHA.960@TK2MSFTNGP09.phx.gbl...
> It is already managed by the operating system and would be very long and
> complex and I would not recommend changing it and if you did it would
> probably be a lot weaker than what the operating system gives it since
> that password is used to derive secret keys for kerberos. Below is a bit
> of info I found out about it. --- Steve
>
> *********************************************************************
>
> The security principal name used by the KDC in all Windows 2000 domains is
> krbtgt, as specified by RFC 1510. An account for this security principal
> is created automatically when a new Windows 2000 domain is created. The
> account cannot be deleted, nor can the account name be changed. A password
> is assigned to the KDC's account automatically; this password, like the
> passwords assigned to domain trust accounts, is changed on a regular
> schedule. The password for the KDC's account is used to derive a secret
> key for encrypting and decrypting the TGTs that the KDC issues. The
> password for a domain trust account is used to derive a Kerberos
> inter-realm key for encrypting and decrypting referral tickets
>
> "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
> news:%23V7PsCVCFHA.2572@tk2msftngp13.phx.gbl...
>> We noticed that in our Child Domain (part of an Active Directory Forest),
>> that the 'krbtgt' account is Disabled. Can we safely Reset the Password
>> on this account to something long and complex?
>>
>>
>>
>>
>
>

Relevant Pages

  • Re: Kerberos Ticket User
    ... The link below and a paste from it explains more about the krbtgt. ... The krbtgt account is created automatically when a Windows 2000 ... I don't offhand know the answer to your Proxy 2.0 dilemma. ... > way I can think to make that happen is for the Kerberos ticket ...
    (microsoft.public.windows.server.security)
  • Blank passwords, TsInternetUser added to Administrators
    ... recently been "hacked" by the attacker adding TsInternetUser into the ... using the TsInternetUser account. ... What I don't understand is why some installs I've seen feature blank ... as well as a blank password for the krbtgt account on my test AD ...
    (Focus-Microsoft)
  • Re: Security Failure Audit Account Logon Event ID 675
    ... MVP - Directory Services ... I checked for krbtgt Built in account and found it disable. ... I tried to enable this account but Windows gave me error. ...
    (microsoft.public.windows.server.active_directory)
  • Security Failure Audit Account Logon Event ID 675
    ... My Primary Domain controller is Filling this Failure Audit EVENT" every few ... I checked for krbtgt Built in account and found it disable. ... I tried to enable this account but Windows gave me error. ...
    (microsoft.public.windows.server.active_directory)
  • Reset password on krbtgt account?
    ... We noticed that in our Child Domain (part of an Active Directory Forest), ... that the 'krbtgt' account is Disabled. ... Can we safely Reset the Password on ...
    (microsoft.public.windows.server.security)