Re: Kerberos Ticket User

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/27/05 

Date: Wed, 27 Apr 2005 02:45:47 -0500

The link below and a paste from it explains more about the krbtgt.

http://www.windowsitlibrary.com/Content/617/06/4.html

The AS and TGS services share a secret that is derived from the password of
the krbtgt principal. The krbtgt principal is the security principal used by
the KDC; its master key will be used to encrypt the TGTs that are issued by
the KDC. The krbtgt account is created automatically when a Windows 2000
domain is created. It cannot be deleted and renamed. As with any other
account, its password is changed regularly. In the Windows 2000 users and
computers snap-in this account is always shown as disabled.

I don't offhand know the answer to your Proxy 2.0 dilemma. What are you
trying to do that requires kerberos? --- Steve

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:eNgaMmvSFHA.3344@TK2MSFTNGP12.phx.gbl...
> If you are not familiar with Microsoft Proxy Server 2.0, it has a
> mode where only domain accounts can get through the proxy.
> SYSTEM accounts are always forbidden from getting through the
> proxy.
>
> I need kerberos tickets to pass out through the proxy. The only
> way I can think to make that happen is for the Kerberos ticket
> service to run as a domain account.
>
> Is there any way to run the Kerberos ticket server under the
> permissions of a specific domain user, or did Microsoft hack it
> in such a way that it must always run as SYSTEM?
>
> What is the purpose of the krbtgt account if it is always
> disabled?
>
> --
> Will
> Internet: westes at earthbroadcast.com
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:e8jGVXvSFHA.2128@TK2MSFTNGP14.phx.gbl...
>> The krbtgt account is disabled by default and the system
> manages the
>> password. You do not nor should not reconfigure that account. I
> am not sure
>> exactly what you need to do but if it has to do with trusting
> user accounts
>> for delegation see the links below. --- Steve
>>
>>
> http://searchwindowssecurity.techtarget.com/generic/0,295582,sid45_gci1050149,00.html#Delegation
>>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod19.asp
>>
>
>

Relevant Pages

  • Blank passwords, TsInternetUser added to Administrators
    ... recently been "hacked" by the attacker adding TsInternetUser into the ... using the TsInternetUser account. ... What I don't understand is why some installs I've seen feature blank ... as well as a blank password for the krbtgt account on my test AD ...
    (Focus-Microsoft)
  • Re: Security Failure Audit Account Logon Event ID 675
    ... MVP - Directory Services ... I checked for krbtgt Built in account and found it disable. ... I tried to enable this account but Windows gave me error. ...
    (microsoft.public.windows.server.active_directory)
  • Security Failure Audit Account Logon Event ID 675
    ... My Primary Domain controller is Filling this Failure Audit EVENT" every few ... I checked for krbtgt Built in account and found it disable. ... I tried to enable this account but Windows gave me error. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reset password on krbtgt account?
    ... I am a bit disturbed if the krbtgt password is supposed to be changed ... our 'krbtgt' account is displaying as Disabled in our Child Domain. ... > that password is used to derive secret keys for kerberos. ... >> We noticed that in our Child Domain (part of an Active Directory Forest), ...
    (microsoft.public.windows.server.security)
  • Re: rename AD user account creates problem with autocomplete in Ou
    ... I dont really see the point to changing the RDN portion as this really affects the login account name and will break mailflow. ... With any proxy changes you need to make sure that the mail attribute and the primary proxy address are the same as the below example ... object from both domain controllers to ensure that it is the same on both ... > for the account that was in the AutoComplete as dpritchard ...
    (microsoft.public.exchange.admin)