There are elements in Active Directory that we completely forget about because they never come up in day-to-day operations. The krbtgt account is one of them. Though invisible in everyday use, it is at the heart of all Kerberos authentication in your domain—and its compromise is one of the most catastrophic scenarios an attacker could trigger.
In this article, we’ll explore what this account really is, why you need to change its password regularly, and how to automate this process cleanly with Ansible.
Kerberos 101: What the KDC Does
Before discussing krbtgt, here’s a quick refresher on how Kerberos works in an Active Directory domain.
When a user connects to a domain resource (a file server, a web app, or any service), they never transmit their password directly. Instead, the Kerberos process unfolds in three steps:
-
AS-REQ / AS-REP: The client contacts the KDC (Key Distribution Center, i.e., the domain controller) to request a TGT (Ticket-Granting Ticket). If the credentials are valid, the KDC returns the TGT, encrypted and signed.
-
TGS-REQ / TGS-REP: With its TGT in hand, the client requests a service ticket (ST) for the target resource.
-
AP-REQ: The client presents its service ticket directly to the resource, which can validate it without going back through the KDC.
This mechanism is elegant: the resource does not have to contact the DC with every connection, and the user’s password never travels in plain text over the network.
The krbtgt account: the cornerstone
The krbtgt account is a special, disabled service account created automatically when a domain controller is promoted. Its role is unique and fundamental: its password is used by the KDC to encrypt and sign all TGTs issued in the domain.
In other words, every Kerberos ticket in your domain bears the imprint of the key derived from the krbtgt password. When a domain controller receives a TGT to validate, it does not consult a database—it simply verifies that the ticket was indeed signed with its krbtgt key.
┌─────────────────────────────────────────────────────────┐
│ Domain controller │
│ │
│ [ krbtgt account ] │
│ Password hash ──► TGT encryption key │
│ │
│ Any valid TGT = signed with this key │
└─────────────────────────────────────────────────────────┘
This account never logs in, never authenticates, and never sends any network traffic. It exists solely as cryptographic hardware.
The Golden Ticket Attack: When krbtgt Is Compromised
If an attacker manages to extract the NTLM hash of the krbtgt password, they can forge valid TGTs from scratch—without going through the KDC, for any user, with any groups, and for any validity period.
This is known as the Golden Ticket.
# Example using Mimikatz (for educational purposes)
# Extracting the krbtgt hash on a compromised DC
lsadump::lsa /patch
# Forging a Golden Ticket valid for 10 years for "Administrator"
kerberos::golden /user:Administrator /domain:mydomain.local
/sid:S-1-5-21-... /krbtgt:<hash_ntlm> /endin:87600
With this ticket:
- The attacker is indistinguishable from a legitimate administrator in the eyes of all domain member servers
- The ticket remains valid even if the actual administrator account is disabled or renamed
- The ticket remains valid as long as the krbtgt password has not been changed
- The attack persists even after reinstalling the compromised machine (as long as the domain is running)
This is one of the few attacks in Active Directory that provides absolute persistence. Hence the critical importance of regularly changing this account’s password.
> Important note: Microsoft stores the last two passwords for the krbtgt account (the current one and the previous one). Tickets signed with either one remain valid. This is why you must change the password twice to completely invalidate the old tickets.
Why don’t we do this more often?
The honest answer: out of fear. And this fear is partly justified.
Changing the krbtgt password triggers replication to all domain controllers in the domain. During the period when some DCs have the new password and others do not yet, authentications may fail.
Common problem scenarios:
- Multi-site environments with slow WAN links
- DCs that are offline or undergoing maintenance at the time of the change
- Kerberos tickets currently in use with a long validity period
In practice, in a well-maintained environment (synchronized DCs, reasonable replication latency), the change occurs without any visible issues. Microsoft recommends waiting at least 10 hours between the two rotations—this is the default maximum validity period for a Kerberos ticket (10 hours of UserLogonLifetime).
Recommended Frequency
There is no absolute consensus, but the general recommendations are as follows:
| Context | Suggested Frequency |
|---|---|
| Standard environment | Every 180 days |
| Post-incident (suspected compromise) | Immediately, twice at 10-hour intervals |
| Termination of a former employee with DC access | Immediately |
| After a DC migration | Recommended |
| After a DC restore from backup | Mandatory |
Microsoft has also released an official PowerShell script (New-KrbtgtKeys.ps1) that has become the standard for this operation. We will use it as the basis on the Windows side and orchestrate it via Ansible.
Ansible Solution Architecture
The idea is simple:
Ansible Node (Linux)
│
│ WinRM (HTTPS)
▼
Primary Domain Controller (PDC Emulator)
│
│ AD Replication
▼
Other Domain Controllers
The playbook will:
- Target the PDC Emulator (the correct location for AD password changes)
- Download or upload the official Microsoft script
- Perform an initial rotation
- Wait 10 hours (or a configurable delay)
- Perform a second rotation
- Verify replication on all DCs
Prerequisites
On the Ansible controller side:
# Required Windows module
pip install pywinrm
ansible-galaxy collection install ansible.windows
On the Windows Server side (the DCs):
# Enable WinRM (if not already done via GPO)
Enable-PSRemoting -Force
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="false"}'
The Ansible playbook
File structure
krbtgt-rotation/
├── inventory/
│ └── production.yml
├── roles/
│ └── krbtgt_rotation/
│ ├── tasks/
│ │ └── main.yml
│ ├── files/
│ │ └── New-KrbtgtKeys.ps1
│ └── defaults/
│ └── main.yml
└── site.yml
Inventory
# inventory/production.yml
all:
children:
domain_controllers:
hosts:
dc01.mydomain.local:
ansible_host: 192.168.1.10
dc02.mydomain.local:
ansible_host: 192.168.1.11
vars:
ansible_user: "MYDOMAIN\\ansible_svc"
ansible_password: "{{ vault_ansible_password }}"
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: validate
ansible_port: 5986
> Best practice: Use ansible-vault to encrypt credentials. Never include a password in plain text in an inventory file.
# Encrypting the vault
ansible-vault create group_vars/all/vault.yml
# Content:
# vault_ansible_password: "YourAnsibleServicePassword"
Role defaults
# roles/krbtgt_rotation/defaults/main.yml
# Time between rotations (in seconds)
# 36000 = 10 hours (Microsoft recommendation)
# For testing, you can reduce this to 60 seconds
krbtgt_rotation_delay: 36000
# Mode: 'simulate' (dry-run) or 'reset' (actual rotation)
krbtgt_operation_mode: "simulate"
# Temporary path on the DC for the script
krbtgt_script_dest: "C:\\Windows\\Temp\\New-KrbtgtKeys.ps1"
# Target domain (will be detected automatically if empty)
krbtgt_domain: ""
Main tasks
# roles/krbtgt_rotation/tasks/main.yml
---
# ─── Pre-checks ───────────────────────────────────────────────────────
- name: Check that the ActiveDirectory module is available
ansible.windows.win_powershell:
script: |
if (-not (Get-Module -ListAvailable -Name ActiveDirectory)) {
throw "ActiveDirectory module not available. Install RSAT."
}
Write-Output "OK"
register: ad_module_check
changed_when: false
- name: Identify the domain PDC Emulator
ansible.windows.win_powershell:
script: |
$pdc = (Get-ADDomain).PDCEmulator
Write-Output $pdc
register: pdc_emulator
run_once: true
changed_when: false
- name: Display the identified PDC Emulator
ansible.builtin.debug:
msg: "PDC Emulator: {{ pdc_emulator.output[0] }}"
run_once: true
# ─── Script Deployment ───────────────────────────────────────────────────
- name: Copy the New-KrbtgtKeys.ps1 script to the DC
ansible.windows.win_copy:
src: New-KrbtgtKeys.ps1
dest: "{{ krbtgt_script_dest }}"
when: inventory_hostname == pdc_emulator.output[0].split('.')[0]
# ─── Checking the current status ──────────────────────────────────────────
- name: Check the date of the last krbtgt password change
ansible.windows.win_powershell:
script: |
$krbtgt = Get-ADUser krbtgt -Properties PasswordLastSet, msDS-KeyVersionNumber
$result = @{
PasswordLastSet = $krbtgt.PasswordLastSet.ToString("yyyy-MM-dd HH:mm:ss")
KeyVersionNumber = $krbtgt.'msDS-KeyVersionNumber'
DaysSinceChange = ((Get-Date) - $krbtgt.PasswordLastSet).Days
}
Write-Output ($result | ConvertTo-Json)
register: krbtgt_current_state
run_once: true
changed_when: false
delegate_to: "{{ pdc_emulator.output[0] }}"
- name: Display the current state of the krbtgt account
ansible.builtin.debug:
msg: "{{ krbtgt_current_state.output[0] | from_json }}"
run_once: true
# ─── First rotation ───────────────────────────────────────────────────────
- name: "First krbtgt rotation (mode: {{ krbtgt_operation_mode }})"
ansible.windows.win_powershell:
script: |
$params = @{
OperationMode = "{{ krbtgt_operation_mode }}"
DomainFQDN = (Get-ADDomain).DNSRoot
}
& "{{ krbtgt_script_dest }}" @params
register: rotation_first
run_once: true
delegate_to: "{{ pdc_emulator.output[0] }}"
when: krbtgt_operation_mode == "reset"
- name: Log of the first rotation
ansible.builtin.debug:
msg: "{{ rotation_first.output }}"
run_once: true
when: krbtgt_operation_mode == "reset"
# ─── Checking replication before waiting ────────────────────────
- name: Force AD replication to all DCs
ansible.windows.win_powershell:
script: |
repadmin /syncall /AdeP
Start-Sleep -Seconds 30
repadmin /showrepl
register: repl_check_1
run_once: true
delegate_to: "{{ pdc_emulator.output[0] }}"
when: krbtgt_operation_mode == "reset"
- name: Check that replication has no errors
ansible.windows.win_powershell:
script: |
$errors = repadmin /showrepl 2>&1 | Select-String "fail|error" -CaseSensitive:$false
if ($errors) {
Write-Warning "Replication errors detected:"
$errors | ForEach-Object { Write-Warning $_.Line }
# Log but do not block - the admin must investigate
} else {
Write-Output "Replication OK"
}
register: repl_errors
run_once: true
delegate_to: "{{ pdc_emulator.output[0] }}"
changed_when: false
# ─── Inter-rotation wait ──────────────────────────────────────────────────
- name: "Wait {{ krbtgt_rotation_delay }} seconds between rotations"
ansible.builtin.pause:
seconds: "{{ krbtgt_rotation_delay }}"
run_once: true
when: krbtgt_operation_mode == "reset"
# ─── Second rotation ────────────────────────────────────────────────────────
- name: "Second krbtgt rotation (permanently invalidating old tickets)"
ansible.windows.win_powershell:
script: |
$params = @{
OperationMode = "{{ krbtgt_operation_mode }}"
DomainFQDN = (Get-ADDomain).DNSRoot
}
& "{{ krbtgt_script_dest }}" @params
register: rotation_second
run_once: true
delegate_to: "{{ pdc_emulator.output[0] }}"
when: krbtgt_operation_mode == "reset"
- name: Log of the second rotation
ansible.builtin.debug:
msg: "{{ rotation_second.output }}"
run_once: true
when: krbtgt_operation_mode == "reset"
# ─── Post-rotation verification ──────────────────────────────────────────────
- name: Verify the new Kerberos version number (msDS-KeyVersionNumber)
ansible.windows.win_powershell:
script: |
$krbtgt = Get-ADUser krbtgt -Properties PasswordLastSet, msDS-KeyVersionNumber
$result = @{
PasswordLastSet = $krbtgt.PasswordLastSet.ToString("yyyy-MM-dd HH:mm:ss")
KeyVersionNumber = $krbtgt.'msDS-KeyVersionNumber'
}
Write-Output ($result | ConvertTo-Json)
register: krbtgt_new_state
run_once: true
changed_when: false
delegate_to: "{{ pdc_emulator.output[0] }}"
- name: Post-rotation summary
ansible.builtin.debug:
msg:
- "=== krbtgt rotation complete ==="
- "New state: {{ krbtgt_new_state.output[0] | from_json }}"
- "Remember to document this rotation in your CMDB."
run_once: true
# ─── Cleanup ───────────────────────────────────────────────────────────────
- name: Remove the script from the DC after use
ansible.windows.win_file:
path: "{{ krbtgt_script_dest }}"
state: absent
when: inventory_hostname == pdc_emulator.output[0].split('.')[0]
Main Playbook
# site.yml
---
- name: Rotate Active Directory krbtgt password
hosts: domain_controllers
gather_facts: false
vars_files:
- group_vars/all/vault.yml
pre_tasks:
- name: Display execution mode
ansible.builtin.debug:
msg: >
Mode: {{ krbtgt_operation_mode | upper }}
{% if krbtgt_operation_mode == 'simulate' %}
(DRY-RUN - no changes will be made)
{% else %}
⚠️ ACTUAL ROTATION - passwords will be changed
{% endif %}
run_once: true
roles:
- role: krbtgt_rotation
Execution
Simulation mode (recommended for testing)
# Verification without any changes
ansible-playbook site.yml \
--ask-vault-pass \
-e "krbtgt_operation_mode=simulate"
The script will display the current account status, the DCs that would be affected, and simulate the process without making any changes.
Actual rotation mode
# Rotation with a full 10-hour delay between the two passes
ansible-playbook site.yml \
--ask-vault-pass \
-e "krbtgt_operation_mode=reset" \
-e "krbtgt_rotation_delay=36000"
Accelerated rotation mode (lab testing)
# 60-second delay - ONLY in a test environment
ansible-playbook site.yml \
--ask-vault-pass \
-e "krbtgt_operation_mode=reset" \
-e "krbtgt_rotation_delay=60"
What to monitor after rotation
Once rotation is complete, the metrics to check:
AD Replication
# On each DC, verify that the version number is identical
Get-ADReplicationUpToDatenessVectorTable -Target "dc01.mydomain.local"
# Check the krbtgt kvno on all DCs
repadmin /showobjmeta * "CN=krbtgt,CN=Users,DC=mydomain,DC=local" |
Select-String "pwdLastSet|msDS-KeyVersionNumber"
Current Kerberos Tickets
After the first rotation, existing tickets remain valid (Windows retains the old password). After the second rotation, all old tickets signed with the previous krbtgt become invalid.
Users will simply need to re-authenticate transparently the next time they access a resource—in the vast majority of cases, they won’t even notice it.
Windows Events to Monitor
In the Event Viewer on the DCs:
- Event ID 4723: Password change attempt
- Event ID 4724: password reset by an admin
- Event ID 4769: Kerberos ticket request (to detect unusual TGSs after rotation)
Integration into a security pipeline
To take it further, this rotation can be integrated into a broader pipeline:
Scheduler (cron/AWX/Semaphore)
│
├─► krbtgt rotation (this playbook)
├─► Slack/Teams/Email notification
└─► Write to CMDB/security log
Example of a Slack notification at the end of the playbook:
- name: Rotation completion notification
community.general.slack:
token: "{{ vault_slack_token }}"
channel: "#soc-alerts"
msg: |
✅ *Krbtgt rotation completed*
Domain: {{ ansible_domain }}
Date: {{ ansible_date_time.iso8601 }}
KeyVersionNumber: {{ krbtgt_new_state.output[0] | from_json | json_query('KeyVersionNumber') }}
run_once: true
delegate_to: localhost
Multi-domain environments
If, like me, you have multiple AD domains (infrastructure + users), the rotation must be performed independently in each domain. The krbtgt account is local to each domain—there is no "global" krbtgt that spans multiple domains, even if they are linked by an approval relationship.
In this case, duplicate the inventory:
# inventory/production.yml
all:
children:
domain_infra:
hosts:
dc-infra-01.infradomain.local:
vars:
ansible_user: "INFRA\\ansible_svc"
# ...
domain_users:
hosts:
dc-users-01.userdomaine.local:
vars:
ansible_user: "USERS\\ansible_svc"
# ...
And run the playbook twice, targeting each group.
In summary
The krbtgt account is to Active Directory what the master key is to a building: if it falls into the wrong hands, all the locks are useless. Rotating it regularly is one of the simplest and most effective measures to limit the duration of a compromise.
With Ansible, the operation becomes repeatable, traceable, and above all unmissable—scheduled in a cron job or an AWX pipeline, it runs without human intervention, with logs and notifications.
Key points to remember:
- Always perform two rotations spaced at least 10 hours apart
- Always target the PDC Emulator for the change
- Verify AD replication between the two passes
- In a multi-domain environment, handle each domain separately
- Test first in
simulatemode before switching toreset
Sources and references: