Share via

Stale krbtgt Password can have Increased Risk of Golden Ticket Attack

Seema Kanwal Gurmani 336 Reputation points
2025-07-29T05:30:24.06+00:00

Dear Community

Kindly note that we have a single domain and single tree. We have four sites and each site has its own domain controller. They are all getting synced. I have local active directory getting synced with Azure AD for office 365 accounts. After we had a third party do VAPT in our environment, they said that the Stale krbtgt Password is having Increased Risk of Golden Ticket Attack. I wanted to know What is the recommended standard practice? and If its recommended to change what will be its impact in my environment as explained previously?

I have selected tag as ADFS but I have active directory domain services.

Microsoft Security | Active Directory Federation Services
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Geoff McKenzie 950 Reputation points
    2025-07-29T06:27:15.8766667+00:00
  2. EduardsGrebezs 941 Reputation points
    2025-07-29T12:41:36.8533333+00:00

    Hello,

    It depends when your krbtgt account password was changed.. or not changed at all

    Best practice is to change password twice with 10h(default ticket lifetime) in between resets. So basically 2 password resets for krbtgt account to erase remembered password.

    Now it is possible to do it without powershell script from ADUC GUI.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-reset-the-krbtgt-password

    Here is a good article - https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/faqs-from-the-field-on-krbtgt-reset/2367838

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.