Comments on: Do You Need to Update KRBTGT Account Password?

By: www.kjctech.net krbtgt login - Login Directly

www.kjctech.net krbtgt login - Login Directly — Thu, 08 Sep 2022 11:00:20 +0000

[…] Do You Need to Update KRBTGT Account Password? | KC’s Blog […]

By: David Calvin

David Calvin — Fri, 23 Oct 2020 13:41:38 +0000

In reply to Rob Rech. Thanks for the extra info. i highly doubt author cares past they view count.

By: Monitoring with PowerShell: AD KRBTGT & making your own canaries - CyberDrain

Mon, 06 Jul 2020 07:05:04 +0000

[…] easy. Both are somewhat security oriented. The first part of the blog we will tackle monitoring the KRBTGT password. This needs to be reset on a regular schedule to ensure bad actors can’t abuse […]

By: Rob Rech

Rob Rech — Fri, 27 Mar 2020 19:36:50 +0000

A few more thoughts on this article:
“A Reddit user raised this great question today that I am not aware of. So I did a little research and here is the breakdown of what it is.” I would suggest doing more research and updating your article. As a Microsoft MVP, people may take your article at face value. If someone follows as is, its dangerous for their domain.

“Note that changing the KRBTGT account password in a 2008 (or higher) DFL will not cause replication issues.” A warning needs to be made here, that Functionality Level 2008 is REQUIRED to be able to support changing the KRBTGT password. if the functionality level is say 2003, Kerberos only supports using the current password, not the previous password. Changing the password with 2003 will not only result in replication issues, it will invalidate all tickets on the domain, forcing everyone and all servers to reboot. That’s a much greater impact than just breaking replication. Changing the password with older functionality level than 2008 is tantamount to the Breach Recovery mode.

Notes should also be made about RODCs using a separate password than RWDCs.

By: Rob

Rob — Fri, 27 Mar 2020 19:21:59 +0000

I’ll expand, regarding the “Breach Recovery” you have to wait until all DCs have replicated before you make the second change. After they have been validated to be in sync, make the change again to invalidate any open kerberos tickets. At that point, all systems on the network will disconnect and require reauthentication / reboots.

By: Rob

Rob — Fri, 12 Jul 2019 13:33:07 +0000

Regarding your “Maintenance Change”, if the Kerberos password is changed before all user and service tickets expire (10 hours by default), then all workstatiions and servers will need to be rebooted. The recommendation is to review Group Policy Default Domain Policy\ Computer Configuration\ Policies\Windows Settings\Security Settings\ Account Policies\Kerberos Policy: Max lifetime for service and user tickets setting. After changing the password once, wait until this time period elapses then reset a second time.