What is the use of krbtgt account in Active Directory?

The krbtgt account is nothing but the Key Distribution Center Service Account (KDC) and it is responsible to grant Kerberos authentication ticket (TGT) from Active Directory. The Kerberos authentication protocol uses session tickets that are encrypted with a symmetric key derived from the password of the server or service to which a Windows user requests access.

At the beginning of the day when a user sits down at his workstation and enters his domain username and password, the workstation contacts the logon DC (Logon Server) and requests a ticket-granting ticket TGT to the Kerberos Key Distribution Center (KDC) service. All Windows users get a TGT from the KDC at the start of their Windows login session after they successfully authenticate to the KDC by using their password.

The KDC encrypts a user’s TGT with a key it derives from the password of the krbtgt AD domain account. The krbtgt account and its password are shared between the KDC services of all DCs in a domain. The krbtgt account is automatically created as part of the dcpromo AD installation process on the first DC in a domain. It will be located under the Users container in Active Directory Users and Computers and is disabled by default. Unlike other AD user accounts, the krbtgt account can’t be used to log on interactively to the domain. Because it’s a built-in account, krbtgt also can’t be renamed.

If you already familiar with the logon audit event logs, you could see the krbtgt account as service in the event 4768.


Event 4768: A Kerberos authentication ticket request

A Kerberos authentication ticket (TGT) was requested.

Account Information:

   Account Name: Morgan
   Supplied Realm Name: testdomain
   User ID: TESTDOMAINadministrator

Service Information:

   Service Name: krbtgt
   Service ID: TESTDOMAINkrbtgt

Network Information:

   Client Address: 103.187.1.13
   Client Port: 0

Additional Information:

   Ticket Options: 0x40810010
   Result Code: 0x0
   Ticket Encryption Type: 0x12
   Pre-Authentication Type: 2
Advertisement

Leave a Comment