The KRBTGT Account Cannot Be Renamed or Enabled

ID: Q229909

The information in this article applies to:

Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Server

SYMPTOMS

By default, the KRBTGT domain account is disabled. Attempting to enable this account results in the following message:

Krbtgt could not be enabled due to the following problem:
Cannot perform this operation on built-in accounts.

CAUSE

Unlike other user accounts, the KRBTGT account cannot be used to log on to the domain, and therefore does not need to be enabled. The account also cannot be renamed because it is a built-in account. Attempting to rename the KRBTGT account results in the following message:

One of the names could not be changed due to the following problem:
Cannot perform this operation on built-in accounts.
Please try again.

Windows 2000 uses Kerberos as its default authentication protocol. Authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key derived from the password of the KRBTGT account, which is known only by the Kerberos service.

STATUS

This behavior is by design.

Additional query words:

Keywords : kbenv kberrmsg
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbprb