Share via

what is point/goal of setting password history to two of KRBTGT service account ?

D NF 15 Reputation points
2023-04-24T19:56:30.3633333+00:00

I'm wondering what is point of setting password history to two of the ktbtgt account ? when both of them the last two set passwords will be valid to authenticate and then recommending to reset password twice in-order to clear password history. why you as Microsoft have created that policy by default ? and when resting password twice will it be valid to use same password twice just to clear password history or it won't it will shows same password of current has been used error ? Thank you.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 45,231 Reputation points
    2023-04-25T14:06:26.2+00:00

    Hello there, The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domain is created and the password is typically not changed. If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT). The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. You should perform this operation twice. When resetting the Key Distribution Center Service Account password twice, a 10 hour waiting period is required between resets. 10 hours are the default Maximum lifetime for user ticket and Maximum lifetime for service ticket policy settings, hence in a case where the Maximum lifetime period has been altered, the minimum waiting period between resets should be greater than the configured value. Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--

    Was this answer helpful?

    1 person found this answer helpful.
  2. Anonymous
    2023-04-25T19:59:38.3433333+00:00

    The kbrtgt account stores 1 old password as history so it can validate unexpired tickets from the previous password, so reset it once, then wait a period of time for replication to fully complete. For a normal KRBTGT rotation you could wait 24 hours, then do the second one.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    Was this answer helpful?

  3. Anonymous
    2023-04-24T20:05:48.4566667+00:00

    The password history value for the krbtgt account is 2, meaning it includes the 2 most recent passwords. By resetting the password twice you effectively clear any old passwords from the history, so there is no way another DC will replicate with this DC by using an old password.
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password#to-reset-the-krbtgt-password

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.