The information in this article applies to:
SYMPTOMSBy default, the KRBTGT domain account is disabled. Attempting to enable this account results in the following message:
CAUSEUnlike other user accounts, the KRBTGT account cannot be used to log on to the domain, and therefore does not need to be enabled. The account also cannot be renamed because it is a built-in account. Attempting to rename the KRBTGT account results in the following message: Windows 2000 uses Kerberos as its default authentication protocol. Authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key derived from the password of the KRBTGT account, which is known only by the Kerberos service. STATUSThis behavior is by design. Additional query words:
Keywords : kbenv kberrmsg |
Last Reviewed: December 29, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |