Event ID 10 — KDC Password Configuration

Applies To: Windows Server 2008

The Kerberos ticket-granting ticket (TGT) is enciphered with the Kerberos Key Distribution Center (KDC) account's password. The TGT is issued to the Kerberos client from the KDC.

Event Details

Product: Windows Operating System
ID: 10
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Version: 6.0
Symbolic Name: KDCEVENT_KRBTGT_PASSWORD_CHANGE_FAILED
Message: The attempt to change the password on the KRBTGT account failed. The error code is in the data field

Resolve

Reset krbtgt user account password twice

To resolve this issue, reset the krbtgt user account password twice by using Active Directory Users and Computers. You must reset the password twice because the password history for this account is two passwords. By resetting the password twice, you are removing the original password from the password history.

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To reset the krbtgt user account password twice:

  1. Log on to a computer that has Active Directory Users and Computers installed. It is installed by default on a domain controller.
  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  3. Navigate to the organizational unit where the **krbtgt **user account is stored. By default, this organizational unit is named Users.
  4. Right-click krbtgt, and then click Reset Password.
  5. In the New password box, type the new password.
  6. In the Confirm Password box, retype the password.
  7. Clear the User must change password at next logon check box, and then click OK.
  8. Repeat steps 4-7 to reset the password again.
  9. Close Active Directory Users and Computers.

Verify

After you reset the krbtgt password, ensure that event ID 6 in the Microsoft-Windows-Kerberos-Key-Distribution-Center event source is written to the System event log. 

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To open the System event log:

  1. Log on to a domain controller.
  2. Click Start, and then click Control Panel.
  3. Double-click Administrative Tools, and then click Event Viewer.
  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  5. Expand Windows Logs, and then click System.
  6. Ensure that Event ID 6 from the Microsoft-Windows-Kerberos-Key-Distribution-Center event source is shown.

KDC Password Configuration

Core Security