Skip to main content
Andrew Healey

krbtgt password reset - denied due to complexity

·2 mins
Active-Directory Windows

I was cleaning up a new directory and found the krbtgt account password hadn’t been reset for over two decades. When I tried resetting it, I could not due to complexity requirements.

Each DC in an AD domain runs a Kerberos Distribution Center (KDC) service that handles all Kerberos ticket requests. AD uses the krbtgt account for Kerberos tickets. This account is an important one and can be used in attacks, such as Golden Ticket attacks: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-microsoft-advanced-threat-analytics-detects-golden-ticket/ba-p/250341

image

Upon trying to reset this password, I received the following error. I was using a 32-character randomly generated password that has all the complexity bits possible. Digging around, I stumbled upon this article from Microsoft: https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-krbtgt-password-may-fail

It states:

“If a custom password filter (for example, passfilt.dll) is installed on a domain controller, you may receive the following error when trying to change the password for the krbtgt account.”

“This occurs because there is special logic when changing the password for krbtgt. While the Active Directory Users and Computers (dsa.msc) snap-in allows you to enter a password, it won’t be used when changing the password. Instead, the Active Directory creates a long string of random bits to use as the password. Since this string contains random data and not Unicode characters, it fails the typical tests included in password filters. These tests typically include checking to see if the password contains a certain combination of upper and lower case letters, numbers, and punctuation.”

I checked. And sure enough, there was a password filter.

The Fix
#

Found in this post on Spiceworks: https://community.spiceworks.com/topic/2258213-we-are-unable-to-reset-the-krbtgt-password-after-installed-openpasswordfilter

Create a new Fine-Grained Password Policy with complexity disabled, and add DOMAIN\\krbtgt as a subject of the FGPP and try again.

The Spiceworks post shows the details on Powershell, so I’ve provided the GUI version. Hope this saves somebody a headache or two.

Related

IsConnectible: My vbScript Ping Method

·2 mins
Technology Vbscript Windows
Whenever I am doing large sweeps of the network that require connecting to a large number of workstations (e.g. file copy, wmi query, etc.), I prefer to check to see if I can even see the system. This avoids waiting for (WMI) timeouts and also aids in troubleshooting failures. If the file copy failed, why? Well, if I can’t ping it or it can’t be resolved, I would like to know right away and move on to the next host.

vbScript: Quickly determine architecture

·1 min
Technology Vbscript Windows X64 X86
I’ve been using a routine to determine 64-bit v 32-bit workstations for some time checking the registry for the PROCESSOR\_ARCHITECTURE in the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment path. However, this was proving to be error prone. So, I just gave up that method altogether since all Windows x64 editions have a “%SystemDrive%Program Files (x86)” directory. This makes it just a quick and easy call the folderexists method of the filesystemobject. The only downside is that can’t be used remotely but since most of my scripts are used in local policies, this shouldn’t be an issue.

Powershell: Getting the IP Address, FQDN and MAC Address of Each Domain Controller

·1 min
Technology Active-Directory Posh Powershell
I was asked to get a baseline for generating reports within AD. The two important pieces of information which were required to generate these reports were the ip address and FQDN of each domain controller. The script would then connect to each individual system to gather data. While I was at it, I added the MAC Address just to see what other pieces of data would be useful out of the Win32_NetworkAdapterConfiguration class.