[ Home  |  FAQ-Related Q&As  |  General Q&As  |  Answered Questions ]

    Search the Q&A Archives

I disabled the Key Distribution Center user by mistake and...

<< Back to: Kerberos FAQ, v2.0 (last modified 8/18/2000)

Question by phntm
Submitted on 4/26/2004
Related FAQ: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Rating: Rate this question: Vote
I disabled the Key Distribution Center user by mistake and can no longer log clients into the server.  How do I re-enable the Key Distribution Center (KDC) user in Windows 2000?




Answer by haybaker
Submitted on 11/9/2004
Rating: Not yet rated Rate this answer: Vote
As summed up in the last paragraph below, that's just the way it is.   This was quoted from the following site:
http://www.microsoft.com/technet/Security/topics/issues/w2kccscg/w2kscgcd.mspx

krbtgt   Key distribution service center account. Windows 2000 Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service.           
   Use of this account by more than one user violates FAU_GEN.2, User Identity Association.
This account is disabled on Domain Controllers by default.
Requirement:

Unlike other user accounts, the krbtgt account cannot be used to log on to the domain and in fact, cannot be enabled


 

Your answer will be published for anyone to see and rate.  Your answer will not be displayed immediately.  If you'd like to get expert points and benefit from positive ratings, please create a new account or login into an existing account below.


Your name or nickname:
If you'd like to create a new account or access your existing account, put in your password here:
Your answer:

FAQS.ORG reserves the right to edit your answer as to improve its clarity.  By submitting your answer you authorize FAQS.ORG to publish your answer on the WWW without any restrictions. You agree to hold harmless and indemnify FAQS.ORG against any claims, costs, or damages resulting from publishing your answer.

 

FAQS.ORG makes no guarantees as to the accuracy of the posts. Each post is the personal opinion of the poster. These posts are not intended to substitute for medical, tax, legal, investment, accounting, or other professional advice. FAQS.ORG does not endorse any opinion or any product or service mentioned mentioned in these posts.

 

<< Back to: Kerberos FAQ, v2.0 (last modified 8/18/2000)

[ Home  |  FAQ-Related Q&As  |  General Q&As  |  Answered Questions ]
© 2008 FAQS.ORG. All rights reserved.