Kerberos Service Account (KRBTGT
) in Microsoft Windows
is the Service Account
and a Privileged Identity
for the Key Distribution Center
) service that is used to apply Digital Signatures
every authentication Ticket Granting Ticket
Kerberos Service Account (KRBTGT) is effectively the Trust Anchor used for the AD DOMAIN and implies the Ticket Granting Ticket (TGT) can be used throughout the AD DOMAIN and presented to any Domain Controller in the AD DOMAIN. Losing control of the Kerberos Service Account (KRBTGT) password-hash equates to losing control of the AD DOMAIN.
Kerberos Service Account account cannot be deleted, and the account name cannot be changed.
Kerberos Service Account account cannot be enabled in Microsoft Active Directory.
Kerberos Service Account is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120.
Kerberos Service Account account is the entity for the Kerberos Authentication Service and it is created automatically when a new AD DOMAIN is created.
There might be more information for this subject on one of the following: