Administrator Account Is Not Usable by Non-Windows 2000 Kerberos Clients

All Windows 2000 user accounts are also Kerberos principal names. This allows non-Windows-based implementations of Kerberos to use a Windows 2000 domain as a Kerberos realm. To enable this functionality, the equivalent DES-based key for use by interoperable implementations is stored whenever an account is created or a password is changed.

An account does not have a DES key in the following situations:

• When a domain is upgraded.
• When the initial administrator account on a new domain is created.

When an existing domain is upgraded, the only keys available on the accounts are the existing challenge/response (NTLM) keys. These keys are used by the default encryption type in the Windows 2000 Kerberos implementation (RC4-HMAC-NT). However, these accounts do not have the DES keys that are used when the interoperable encryption types are used (DES-CBC-CRC and DES-CBC-MD5). Until these keys are set by a password change, only the NTLM encryption types are used.

The Administrator account in a new domain also does not have an associated DES key. Clients that are not using Windows 2000 Kerberos cannot gain access to the account. When the password for the Administrator account is changed, all the associated keys are created. Clients that are not using Windows 2000 Kerberos can then gain access to the Administrator account.