The KRBTGT Account Cannot Be Renamed or Enabled (229909)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q229909 SYMPTOMS
By default, the KRBTGT domain account is disabled. Attempting to enable this account results in the following message:
Krbtgt could not be enabled due to the following problem:
Cannot perform this operation on built-in accounts.
CAUSE
Unlike other user accounts, the KRBTGT account cannot be used to log on to the domain, and therefore does not need to be enabled. The account
cannot be renamed because it is a built-in account. Attempting to rename the KRBTGT account results in the following message:
One of the names could not be changed due to the following problem:
Cannot perform this operation on built-in accounts.
Please try again.
STATUSThis behavior is by design.MORE INFORMATION
Windows 2000 uses Kerberos as its default authentication protocol. Authentication is achieved by using tickets that are enciphered with a symmetric key that is derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key that is derived from the password of the KRBTGT account, which is known only by the Kerberos service.
| Modification Type: | Major | Last Reviewed: | 11/20/2003 |
|---|
| Keywords: | kbenv kberrmsg kbprb KB229909 |
|---|
|