Secure your Simple AD directory

This section describes considerations for securing your Simple AD environment.

Topics

How to reset a Simple AD krbtgt account password

How to reset a Simple AD krbtgt account password

The krbtgt account plays an important role in the Kerberos ticket exchanges. For more information, see Samba documentation. It is recommended to change this password regularly every 90 days.

You can reset the krbtgt account password from one of the following Simple AD joined instances:

Amazon EC2 Windows
Amazon EC2 Linux

Note

Amazon Simple AD is powered by Samba-AD. Samba-AD doesn't store N-1 hash for the krbtgt account. Therefore, when the krbtgt account password is reset, the Kerberos client will be required to negotiate a new Ticket Granting Ticket (TGT) during their next Service Ticket (ST) request. To minimize potential service disruptions, you should schedule the krbtgt account password resets outside of business hours. This approach mitigates impacts on ongoing operations and ensures smooth authentication continuity.

The following procedures shows how you can reset the krbtgt account password from either an EC2 Windows or Linux instance.

Prerequisites

Before you can begin this procedure, complete the following:
- You have domain joined an EC2 instance to your Simple AD directory.
  - For more information on how to join an EC2 Windows instance to a Simple AD, see Seamlessly join an Amazon EC2 Windows instance to your Simple AD Active Directory.
  - For more information on how to join an EC2 Linux instance to a Simple AD, see Seamlessly join an Amazon EC2 Linux instance to your Simple AD Active Directory.
- You have the Simple AD directory administrator credentials. You will be signing in as the Simple AD directory administrator for this procedure.

Amazon EC2 Windows Instance

Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.
In the Amazon EC2 console, choose Instances and select the Windows Server instance. Then choose Connect.
In the Connect to instance page, choose RDP client.
In the Windows Security dialog box, copy your local administrator credentials for the Windows Server computer to sign in. The username can be in the following formats: NetBIOS-Name\administrator or DNS-Name\administrator. For example, corp\administrator would be the username if you followed the procedure in Create your Simple AD Active Directory.
Once signed in to the Windows Server computer, open Windows Administrative Tools from the Start menu by choosing Windows Administrative Tools folder.
In the Windows Administrative Tools dashboard, open Active Directory Users and Computers by choosing Active Directory User and Computers.
In the Active Directory Users and Computers window, select View and then choose Enable Advanced Features.
In the Active Directory Users and Computers window, select Users from the left panel.
Find the user named krbtgt, right click on it and select Reset Password.
In the new window, enter the new password, enter it again, and then choose OK to reset the krbtgt account password.

Amazon EC2 Linux Instance

Connect to the domain joined Amazon EC2 Linux instance using SSH client with Administrator credentials.
Create an ldif file named change_krbtgt_password.ldif on the instance with the following content:
```
dn: CN=krbtgt,CN=Users,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd:: BASE64_ENCODED_NEW_PASSWORD
```
Note
Make sure you make the following changes to the ldif file to match your Active Directory environment:
- Replace example and com for DC with your domain information.
- Replace BASE64_ENCODED_NEW_PASSWORD with a password encoded in UTF-16 format and then base64 format. This is necessary to comply with Active Directory's requirements for updating passwords.
The following is an example of how you can encode the password in UTF-16 and base64 using Linux command-li tools:
```
echo -n '"new-desired-password"' | iconv -t utf16le | base64
white_check_markeyesraised_hands
```
Make sure to replace new-desired-password with your preferred new password, ensuring it adheres to the password policy requirements specified by Simple AD.
Run the following ldapmodify command with the following ldif file to apply the password change. You will be prompted to enter the Administrator user password while this command runs.
```
ldapmodify -H ldap://your_ldap_server -D "CN=Administrator,CN=Users,DC=example,DC=com" -W -f change_krbtgt_password.ldif
```
Make sure you replace ldap://your_ldap_server with your LDAP server URL and DC=example,DC=com with your domain information.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

How to...

Manage users and groups