Microsoft KB Archive/229909

= The KRBTGT Account Cannot Be Renamed or Enabled =

Article ID: 229909

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q229909



SYMPTOMS
By default, the KRBTGT domain account is disabled. Attempting to enable this account results in the following message:

Krbtgt could not be enabled due to the following problem:

Cannot perform this operation on built-in accounts.



CAUSE
Unlike other user accounts, the KRBTGT account cannot be used to log on to the domain, and therefore does not need to be enabled. The account cannot be renamed because it is a built-in account. Attempting to rename the KRBTGT account results in the following message:

One of the names could not be changed due to the following problem:

Cannot perform this operation on built-in accounts.

Please try again.



STATUS
This behavior is by design.



MORE INFORMATION
Windows 2000 uses Kerberos as its default authentication protocol. Authentication is achieved by using tickets that are enciphered with a symmetric key that is derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key that is derived from the password of the KRBTGT account, which is known only by the Kerberos service.

Keywords: kbenv kberrmsg kbprb KB229909

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.