Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Domain users cannot change or reset their passwords when KRBTGT account is restored in Windows client

Domain users cannot change or reset their passwords when KRBTGT account is restored in Windows client

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You have a domain controller that runs Windows Server 2008 R2.
  • You perform an authoritative restore action on the KRBTGT account.
  • You log on to a Windows 8.1 client, a Windows 8 client with the Kerberos.dll file from update 2883201 or a later update, or a Windows 7 client with update 2845626 or a later update.
  • You try to reset or change the domain password.
In this scenario, the password cannot be reset or changed. Additionally, you receive the following error message:
The security Database on the server does not have a computer account for this workstation trust relationship

↑ Back to the top

Cause

This issue occurs because the Windows Server 2008 R2 domain controller handles a specific flag incorrectly. The flag is introduced on the client-side to resolve an issue in which the kerberos.dll file is not updating a user's credential cache if the user logs in by using their user principal name (UPN).

↑ Back to the top

Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this update, you must be running Windows Server 2008 R2.

Registry information

To apply this update, you do not have to make any changes to the registry.

Restart requirement

You have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.
File information
The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 R2 file information notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.1.760
    1.18xxx    		Windows Server 2008 R2SP1GDR
    6.1.760
    1.22xxx    		Windows Server 2008 R2SP1LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, very important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
File nameFile versionFile sizeDateTimePlatform
Kdcsvc.dll6.1.7601.18321430,08015-Nov-201308:40x64
Kdcsvc.mofNot applicable5,30005-Nov-201002:14Not applicable
Kdcsvc.dll6.1.7601.22515434,68814-Nov-201309:06x64
Kdcsvc.mofNot applicable5,30005-Nov-201002:14Not applicable

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

To determine whether you have a restored KRBTGT account in your domain, you can run the following command from a domain administrator-elevated command prompt:
repadmin /showobjmeta  <My_DC> "CN=krbtgt,CN=Users,DC=contoso,DC=com" >krbtgt.txt
Because the default restore increments all attributes by 100000 in the output krbtgt.txt file, you may notice the Ver (version) value of the pwdLastSet attribute is 100002 or larger. For example, the output is as follows:
Loc.USN   Originating DSA                      Org.USN       Org.Time/Date        Ver      Attribute
=======   ===============                      =========      =============        ===      =========

8064      Default-First-Site-Name\CONTOSO-DC1  12327     2014-06-23 18:27:03  100002     pwdLastSet


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information

Additional files for all supported x86-based versions of Windows Server 2008 R2
File propertyValue
File nameAmd64_083a60db75794a052fd3f717b5e63254_31bf3856ad364e35_6.1.7601.18321_none_c3a69c6aec16db05.manifest
File versionNot applicable
File size724
Date (UTC)12-Feb-2014
Time (UTC)09:46
File nameAmd64_2794d9e0c08eff34203cc2597716f143_31bf3856ad364e35_6.1.7601.22515_none_4afc980b6bfe24b0.manifest
File versionNot applicable
File size724
Date (UTC)12-Feb-2014
Time (UTC)09:46
File nameAmd64_microsoft-windows-k..distribution-center_31bf3856ad364e35_6.1.7601.18321_none_e9cfe261aaeb5c6c.manifest
File versionNot applicable
File size35,825
Date (UTC)15-Nov-2013
Time (UTC)09:22
File nameAmd64_microsoft-windows-k..distribution-center_31bf3856ad364e35_6.1.7601.22515_none_ea685226c3fd42c8.manifest
File versionNot applicable
File size35,825
Date (UTC)14-Nov-2013
Time (UTC)09:37

↑ Back to the top

Keywords: kb, kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbsurveynew, kbexpertiseadvanced

↑ Back to the top

Article Info
Article ID : 2910686
Revision : 1
Created on : 1/7/2017
Published on : 1/15/2015
Exists online : False
Views : 238