Kerberos on Aperture Zone

Active Directory: krbtgt, from theory to practice

Wed, 01 Apr 2026 00:00:00 +0000

In the first part of this article, we laid the groundwork: what the krbtgt account is, why the Golden Ticket is a serious threat, and a theoretical Ansible architecture for automating rotations. If you haven’t read that part, I encourage you to start there.

Now we’re getting down to business. The playbook in Part 1 was intentionally simplified to illustrate the concept. In a real production environment, things get complicated—the interactive script that refuses to be controlled, the XML file that can’t be found, the Kerberos double-hop that blocks everything, the root forest that isn’t what we think it is. These are all obstacles I’ve encountered and resolved, which I’m documenting here.

Active Directory: krbtgt the scary account

Wed, 25 Mar 2026 00:00:00 +0000

There are elements in Active Directory that we completely forget about because they never come up in day-to-day operations. The krbtgt account is one of them. Though invisible in everyday use, it is at the heart of all Kerberos authentication in your domain—and its compromise is one of the most catastrophic scenarios an attacker could trigger.

In this article, we’ll explore what this account really is, why you need to change its password regularly, and how to automate this process cleanly with Ansible.

Active Directory: 2016 functional upgrade and approval audit

Mon, 02 Mar 2026 00:00:00 +0000

There are some projects that we put off for years. Not because they're impossible, but because there's always something getting in the way. In my case, it was Exchange 2013—that good old mail server that stood in the way of any attempt to modernize the AD. Since migrating to a lighter solution, the coast was clear. So here's the story of a busy night's work.

The context

The infrastructure runs on two separate Active Directory domains linked by a two-way trust relationship: