Event ID 10 — KDC Password Configuration
Applies To: Windows Server 2008 R2
The Kerberos ticket-granting ticket (TGT) is enciphered with the Kerberos Key Distribution Center (KDC) account's password. The TGT is issued to the Kerberos client from the KDC.
|Product:||Windows Operating System|
|Message:||The attempt to change the password on the KRBTGT account failed. The error code is in the data field|
Reset krbtgt user account password twice
To resolve this issue, reset the krbtgt user account password twice by using Active Directory Users and Computers. You must reset the password twice because the password history for this account is two passwords. By resetting the password twice, you are removing the original password from the password history.
To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To reset the krbtgt user account password twice:
- Log on to a computer that has Active Directory Users and Computers installed. It is installed by default on a domain controller.
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Navigate to the organizational unit where the krbtgt **user account is stored. By default, this organizational unit is named **Users.
- Right-click krbtgt, and then click Reset Password.
- In the New password box, type the new password.
- In the Confirm Password box, retype the password.
- Clear the User must change password at next logon check box, and then click OK.
- Repeat steps 4-7 to reset the password again.
- Close Active Directory Users and Computers.
After you reset the krbtgt password, ensure that event ID 6 in the Microsoft-Windows-Kerberos-Key-Distribution-Center event source is written to the System event log.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To open the System event log:
- Log on to a domain controller.
- Click Start, and then click Control Panel.
- Double-click Administrative Tools, and then click Event Viewer.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Expand Windows Logs, and then click System.
- Ensure that Event ID 6 from the Microsoft-Windows-Kerberos-Key-Distribution-Center event source is shown.