At the beginning of the day when a user sits down at his workstation and enters his domain username and password, the workstation contacts the logon DC (Logon Server) and requests a ticket-granting ticket TGT to the Kerberos Key Distribution Center (KDC) service. All Windows users get a TGT from the KDC at the start of their Windows login session after they successfully authenticate to the KDC by using their password.
The KDC encrypts a user’s TGT with a key it derives from the password of the krbtgt AD domain account. The krbtgt account and its password are shared between the KDC services of all DCs in a domain. The krbtgt account is automatically created as part of the dcpromo AD installation process on the first DC in a domain. It will be located under the Users container in Active Directory Users and Computers and is disabled by default. Unlike other AD user accounts, the krbtgt account can’t be used to log on interactively to the domain. Because it’s a built-in account, krbtgt also can’t be renamed.
If you already familiar with the logon audit event logs, you could see the krbtgt account as service in the event 4768.
Event 4768: A Kerberos authentication ticket request
A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: Morgan Supplied Realm Name: testdomain User ID: TESTDOMAINadministrator Service Information: Service Name: krbtgt Service ID: TESTDOMAINkrbtgt Network Information: Client Address: 103.187.1.13 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2