Skip to main content
Support
Intermediate

KRBTGT Account Management

The KRBTGT account is the master key to your entire Kerberos infrastructure — its password hash encrypts every TGT, and rotating it is the only way to invalidate Golden Tickets.

Every time you log into a Windows domain, the Kerberos system gives you a Ticket-Granting Ticket (TGT) that proves your identity. These TGTs are encrypted using the KRBTGT account's password hash — a special built-in account that exists solely for this purpose. If an attacker gets the KRBTGT hash (via DCSync or NTDS.dit extraction), they can forge their own TGTs (Golden Tickets) for any user, including Domain Admin, with any expiration date they choose. The only way to stop Golden Tickets is to change the KRBTGT password — and you must change it TWICE because AD keeps the current and previous password, accepting both.

In a kingdom, the Royal Mint has a master stamp used to authenticate every gold coin. If a counterfeiter steals an impression of this stamp, they can produce unlimited fake coins that pass inspection. The only fix is to destroy the old stamp and create a new one — then re-stamp all legitimate coins. The KRBTGT account is the master stamp: it signs every Kerberos TGT. If an attacker gets the KRBTGT hash, they forge unlimited Golden Tickets. Rotating the password is like replacing the stamp — but you must do it twice because the mint keeps one backup stamp.

Try It Yourself

Key Takeaways

  1. The KRBTGT hash encrypts every TGT in the domain — compromise it and you can forge Golden Tickets.
  2. KRBTGT password must be reset TWICE to fully invalidate all Golden Tickets.
  3. Wait for full replication + max ticket lifetime between the two resets.
  4. Many organizations have never rotated KRBTGT since domain creation — fix this immediately.
  5. KRBTGT rotation alone is insufficient if attackers have AD CS certificates or other persistence.
Why Should I Care?

The KRBTGT account is the single most important secret in Active Directory. Regular rotation limits Golden Ticket lifetime, and knowing how to perform an emergency double-rotation is essential for incident response.

Related Topics

Golden & Silver Ticket AttacksAuthentication ProtocolsAD Persistence Techniques
Sources
Protected Users & Authentication Policies
AD Security Event Monitoring
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org