#windows-server 1 post tagged windows-server. KRBTGT: The Account That Owns Active Directory May 22, 2026 Active Directory ships with one cryptographic key whose disclosure forges valid TGTs for every principal -- and why rotating it is necessary but not sufficient.