Overview [1]#
Kerberos Service Account (KRBTGT) in Microsoft Windows is the Service Account and a Privileged Identity for the Key Distribution Center (KDC) service that is used to apply Digital Signatures and Encryption every authentication Ticket Granting Ticket (TGT).Kerberos Service Account (KRBTGT) is effectively the Trust Anchor used for the AD DOMAIN and implies the Ticket Granting Ticket (TGT) can be used throughout the AD DOMAIN and presented to any Domain Controller in the AD DOMAIN. Losing control of the Kerberos Service Account (KRBTGT) password-hash equates to losing control of the AD DOMAIN.
Kerberos Service Account account cannot be deleted, and the account name cannot be changed.
Kerberos Service Account account cannot be enabled in Microsoft Active Directory.
Kerberos Service Account is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120.
Kerberos Service Account account is the entity for the Kerberos Authentication Service and it is created automatically when a new AD DOMAIN is created.
More Information#
There might be more information for this subject on one of the following:- [#1] - Active Directory Accounts
- based on information obtained 2017-05-25-