computer account change password with Windows 2008 domain

Tim Alsop Tim.Alsop at CyberSafe.Com
Tue Apr 1 09:02:18 EDT 2008



We have discovered a problem when we try to set/change password for a
computer account in AD on Windows Server 2008. The computer account is
created so we can use it for a service/application, and the key is
created from it's password (randomly generated) and extracted into a key
table file.


Our code is able to create the account (authenticating to AD using
SASL/GSS/Kerberos) but when we try and set the computer account's
password to a random value, the request is rejected, so it looks like AD
on Windows 2008 has some changes which stop password changes for
computer accounts, or maybe something which is stopping changes to
passwords for accounts that use a principal name such as
name/fqdn at REALM. 


The same code works perfectly on Windows Server 2003 domains, so we
suspect some changes in Windows Server 2008 have caused this set/change
password restriction.


Does anybody have any experience of same problem ?




More information about the Kerberos mailing list