By default, the KRBTGT domain account is disabled. Attempting to enable this account results in the following message:
Krbtgt could not be enabled due to the following problem: Cannot perform this operation on built-in accounts.
Unlike other user accounts, the KRBTGT account cannot be used to log on to the domain, and therefore does not need to be enabled. The account cannot be renamed because it is a built-in account. Attempting to rename the KRBTGT account results in the following message:
One of the names could not be changed due to the following problem: Cannot perform this operation on built-in accounts. Please try again.
This behavior is by design.
Windows 2000 uses Kerberos as its default authentication protocol. Authentication is achieved by using tickets that are enciphered with a symmetric key that is derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key that is derived from the password of the KRBTGT account, which is known only by the Kerberos service.