This occurs because there is special logic when changing the password for krbtgt. While the Active Directory Users and Computers (dsa.msc) snap-in allows you to enter a password, it won't be used when changing the password. Instead, the Active Directory creates a very long string of random bits to use as the password. Since this string contains random data and not Unicode characters, it fails the typical tests included in password filters. These tests typically include checking to see if password contains a certain combination of upper and lower case letters, numbers, and punctuation.