AD Default Local Account
Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created.
These default local accounts have counterparts in Active Directory. The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory.
Kerberos Authentication Process
In the Active Directory domain, every domain controller runs a KDC (Kerberos Distribution Center) service that processes all requests for tickets to Kerberos. For Kerberos tickets, AD uses the KRBTGT account in the AD domain. KRBTGT is also the security principal name used by the KDC for a Windows Server domain.
- Legitimate User: Begins the communication for a service request.
- Application Server: The server with the service the user wants to access.
- Key Distribution Center (KDC): KBRTGT account acts as a service account for the Key Distribution Center (KDC) and is separated into three parts: Database (db), Authentication Server (AS) and Ticket Granting Server (TGS).
- Authentication Server (AS): Verify client authentication. If the logged user is authenticated successfully the AS issues a ticket called TGT.
- Ticket Granting Ticket (TGT): confirms to other servers that user has been authenticated.
- Ticket Granting Server (TGS): User request for TGS from the KDC that will be used to access the service of the application server.
Views: 0
