Why is KRBTGT account in Windows Sever 2003 disabled?
The reason that the KRBTGT account is disabled in Windows 2000/2003 Server is that there is no reason or need for someone to be logging in with the KRBTGT domain account. Therefore, it cannot be enabled. Because it is a built-in account, you cannot enable or rename KRBTGT account. If you try to rename the account you will get the error:
One of the names could not be changed due to the following problem:
Cannot perform this operation on built-in accounts.
Please try again.
If you try to enable the account you will get the error:
Krbtgt could not be enabled due to the following problem:
Cannot perform this operation on built-in accounts.
Kerberos is the default authentication protocol in Windows 2000/2003. The KRBTGT account is used for Kerberos Ticket Granting Ticket (TGT). TGT is a ticket that must be presented to the Kerberos service when a session request is made. The TGT is enciphered with a key that is derived from the password of the KRBTGT account, which is known only to the Kerberos service. As administrators we don’t need to mess with this account.
I have a question about an error I am receiving, don’t understand its meaning, it states “The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/myserver.domain.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (domain.com), and the client realm. Please contact your system administrator.”
I have a 2008 server (server2008) that is listed as our GC and a 2003 server (svr2003) listed as the DC. Please assist…..
Thanks
Ben, check out this KB article: http://support.microsoft.com/kb/558115. Another solution that works for some people has to do with resetting the secure channel. You can use NETDOM.EXE to reset the secure channel, as described in this KB article: http://support.microsoft.com/?id=288167.