Active Directory

What is Krbtgt Account

Hello All,

Hope this post finds you in good health and spirit.

What is KRBTGT?

Every Domain Controller in an Active Directory domain runs a KDC (Kerberos Distribution Center) service which handles all Kerberos ticket requests. AD uses the KRBTGT account in the AD domain for Kerberos tickets.

The KRBTGT account is one that has been lurking in your Active Directory environment since it was first stood up. Each Active Directory domain has an associated KRBTGT account that is used to encrypt and sign all Kerberos tickets for the domain.

It is a domain account so that all writable Domain Controllers know the account password in order to decrypt Kerberos tickets for validation. Read Only Domain Controllers (RODCs) each have their own individual KRBTGT account used to encrypt/sign Kerberos tickets in their own sites.

The RODC has a specific KRBTGT account (krbtgt_######) associated with the RODC through a backlink on the account. This ensures that there is cryptographic isolation between trusted Domain Controllers and untrusted RODCs.

KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120.The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.

Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested.

The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.

What are the KRBTGT Reset Recommendations from Microsoft?

For the KRBTGT account, there isn’t a particular advise on how to reset the password.

You should plan the interval of resets for your organisation taking into account your backup schedules, operating procedures, security requirements, etc. Even though there are no signs of compromise, you can reset it frequently.

But that needs to be handled separately. Instead, we’re going to talk about what actually happens during a KRBTGT reset .

Why we should change KRBTGT password?

  • Resetting the KRBTGT is only one part of a forest recovery strategy and alone will likely not prevent a previously successful attacker from obtaining unauthorized access to a compromised environment in the future.
  • If you are suspecting an attack on the environment, please open a support ticket with Microsoft’s Incident Response team.
  • If an attacker managed to reach the DCs and successfully hold a Golden Ticket (KRBTGT Account Hash) then it’s a game over where the periodic reset only will not mitigate that as attacker can have already built different ways from controlling DCs and reach to golden ticket again easily so best practice to detect malicious behaviors, close the back doors and ensure AD Security

Why does KRBTGT require resets twice ?

To invalidate all tickets issued using an outdated KRBTGT password, we had to reset the password twice because KRBTGT keeps two password histories.

What happens when you reset KRBTGT account password once?

  • The new KRBTGT password is replicated to all of the DCs in the domain after the initial reset.
  • The new password will be used for all new Tickets (KRB1).
  • Old tickets generated using the outdated KRBTGT password (KRBOLD) should still function because the password history is 2.
  • Once the previous tickets have expired, they should purchase new ones using the KRBTGT password (KRB1).
  • KRB1 and KRBOLD are the current KRBTGT passwords.

What happens if the KRBTGT account password is reset twice?

  • New KRBTGT password replicates to all domain DCs on second reset.
  • The new password will be used for all new tickets (KRB2).
  • Old tickets generated using the KRB1 password should continue to function because the password history is 2.
  • KRB1 and KRB2 are the current KRBTGT passwords.
  • Once the previous tickets have expired, they should renew new ones using the KRBTGT password (KRB2).
  • Since the password history is of 2, the old KRBTGT password (KTB Old) is no longer valid.

Is it possible to reset a KRBTGT account securely and without harming the environment?

Maintaining a gap of at least 10 hours between KRBTGT account password changes can greatly lessen the impact and please the auditors. However, from a security perspective, this could not be of any use.

Is there Power-script availabe to help reset KRBTGT password

Yes it is available here https://github.com/microsoft/New-KrbtgtKeys.ps1

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended contents

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

What is Netlogon Folder in Active Directory

Create Custom Attributes in Active Directory

Check the Tombstone Lifetime of My Active Directory Forest

Determine a Computers AD Site From the Command Line

Check the Active Directory Database Integrity

Check the Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

What is Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

How to export replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button