Do You Need to Update KRBTGT Account Password?

A Reddit user raised this great question today that I am not aware of. So I did a little research and here is the breakdown of what it is.

What is KRBTGT?

The KRBTGT is a local default account that acts as a service account for the Key Distribution Center (KDC) service. It’s created automatically when a new domain is created.

  • It cannot be deleted
  • its name cannot be changed
  • it cannot be enabled
  • it only belongs to the following two groups
    • Domain Users
    • Denied RODC Password Replication Group

KDC service handles all Kerberos ticket requests so KRBTGT account in AD plays a key role that encrypts and sign all Kerberos tickets for the domain.

image 10 - Do You Need to Update KRBTGT Account Password?

You can also use the PowerShell code to get the account’s detail as well:

Get-AdUser krbtgt -property created, passwordlastset, enabled, sid, distinguishedname
image 9 - Do You Need to Update KRBTGT Account Password?

How it works:

  1. User logs on with AD user name and password to a domain-joined computer (usually a workstation).
  2. The user requests authentication by sending a timestamp (Pre-auth data) encrypted with the users password-based encryption key (password hash).
  3. User account ([email protected]) requests a Kerberos service ticket (TGT) with PREAUTH data (Kerberos AS-REQ).
  4. The Kerberos server (KDC) receives the authentication request, validates the data, and replies with a TGT (Kerberos AS-REP).

Why do you need to update its password?

99.99% of the time, the KRBTGT account’s password has not changed since the AD Domain was set up. But since it’s a domain account, all writable DCs know the account password in order to decrypt Kerberos tickets for validation.

Because of that, the attackers may use the KRBTGT account to persist on the network even if every other account has its password changed. During an incredibly awesome talk (Video) at the Black Hat 2014 security conference in Las Vegas, NV in early August, Skip Duckwall & Benjamin Delpy spoke about a method (using Mimikatz) to generate your own Kerberos tickets (aka the Golden Ticket).

And that’s why Microsoft now recommends that the KRBTGT password change on a regular basis.

How to change the password?

Microsoft posted a KRBTGT account password PowerShell script on TechNet that will change the KRBTGT account password once for a domain, force replication, and monitor change status.

Note that changing the KRBTGT account password in a 2008 (or higher) DFL will not cause replication issues.

There are two KRBTGT Password Change Scenarios:

  • Maintenance: Changing the KRBTGT account password once, waiting for replication to complete (and the forest converge), and then changing the password a second time, provides a solid process for ensuring the KRBTGT account is protected and reduces risk (Kerberos and application issues).
  • Breach Recovery: Changing the KRBTGT account password twice in rapid succession (before AD replication completes) will invalidate all existing TGTs forcing clients to re-authenticate since the KDC service will be unable to decrypt the existing TGTs. Choosing this path will likely require rebooting application servers (or at least re-starting application services to get them talking Kerberos correctly again).


One thought on “Do You Need to Update KRBTGT Account Password?

  1. Regarding your “Maintenance Change”, if the Kerberos password is changed before all user and service tickets expire (10 hours by default), then all workstatiions and servers will need to be rebooted. The recommendation is to review Group Policy Default Domain Policy\ Computer Configuration\ Policies\Windows Settings\Security Settings\ Account Policies\Kerberos Policy: Max lifetime for service and user tickets setting. After changing the password once, wait until this time period elapses then reset a second time.

Leave a Reply

Your email address will not be published. Required fields are marked *