KRBTGT Rotation: Why It Matters

The KRBTGT account is critical to Kerberos authentication. Regular password rotation is essential for security, especially after security incidents.

What is KRBTGT?

KRBTGT is a built-in account in Active Directory that is used by the Key Distribution Center (KDC) to encrypt and sign Kerberos Ticket Granting Tickets (TGTs). Every TGT issued by a domain controller is encrypted using the KRBTGT account's password hash.

Why Rotation Matters

Golden Ticket Attacks

If an attacker compromises the KRBTGT password hash, they can create "golden tickets" that allow authentication as any user, including Domain Admins, without knowing the actual user's password. This is extremely dangerous.

Incident Recovery

After a security incident where domain controllers may have been compromised, rotating KRBTGT invalidates any stolen TGTs and prevents attackers from creating new golden tickets.

Compliance

Many security frameworks and regulations require regular rotation of critical service account passwords, including KRBTGT.

When to Rotate

Regular rotation: Every 180 days (or per your organization's policy)

After security incidents: Immediately after any suspected domain controller compromise or after a penetration test or red team assessment that results in domain compromise

Before major changes: Before decommissioning domain controllers or making significant AD changes

How to Rotate Safely

Step 1: Prepare

• Ensure all domain controllers are healthy and replicating
• Verify time synchronization across all DCs
• Have a rollback plan
• Schedule during maintenance window if possible

Step 2: First Rotation

1. Reset KRBTGT password using Set-ADAccountPassword, a similar PowerShell cmdlet, or via the Active Directory Users and Computers console
2. Wait for replication to all domain controllers (check with repadmin /replsummary)
3. Verify authentication still works

Step 3: Second Rotation (Critical)

After the first rotation, wait at least 10 hours (the maximum TGT lifetime), then rotate again. This ensures all old TGTs are invalidated.

Step 4: Verify

• Test authentication from multiple clients
• Check event logs for authentication failures
• Verify replication completed successfully

Common Mistakes

Single rotation: Only rotating once leaves a window where old TGTs may still be valid

Insufficient wait time: Not waiting long enough between rotations can cause authentication issues

No verification: Not testing authentication after rotation can lead to production outages

Poor timing: Rotating during business hours without testing can impact users

Best Practices

1. Document the process: Have a written procedure for KRBTGT rotation
2. Test in lab first: Practice the rotation process in a test environment
3. Schedule appropriately: Rotate during maintenance windows when possible
4. Monitor closely: Watch for authentication failures after rotation
5. Automate if possible: Use scripts to ensure consistency
6. Regular cadence: Rotate every 180 days, not just after incidents
7. Incident response: Have a plan for immediate rotation after security incidents

Detection

Signs that KRBTGT may be compromised:

• Unusual authentication patterns
• Golden ticket usage (detected via monitoring)
• Domain controller compromise
• Security incident involving AD

If compromised, rotate immediately following the two-step process above.