Hi,
we backup our ad users with Veeam and had to restore some of them. So far no problem, the restore succeeded and user was back including the old password.
The user could logon into computers, but he wouldn’t get any kerberos tickets. Only after a password change the behavior was completely normal.
We couldn’t find any reason for this as only timestamps get changed with the user object. Any ideas why it istn’t working as expected?
Thanks and happy holidays
Best answer by Chris.Childerhose
So I did some more digging with Gemini and it seems that the Kerberos ticket for the user is based on the password so when you restore a user if this is out of sync with the Domain Controllers then resetting the password is the best course of action. There are other options to reset the Kerberos Ticket for a user as noted below.
🔍 Why Kerberos Breaks After Restoring an AD User
When you restore an Active Directory user object from backup, Veeam brings back:
- The old password hash
- The old Kerberos keys (derived from the password)
- The old timestamps (like
pwdLastSet,lastLogonTimestamp, etc.)Kerberos relies heavily on cryptographic keys derived from the user’s password. If the restored object’s keys are out of sync with what the domain controllers expect, the user can authenticate via NTLM but Kerberos ticket creation fails.
This is exactly what the community report describes:
“The user could logon into computers, but he wouldn’t get any kerberos tickets. Only after a password change the behavior was completely normal.” Veeam Community Resource Hub
✅ Root Cause
Kerberos keys are generated from:
- The user’s password
- The salt (usually username + domain)
- Timestamps
When you restore an older version of the user object:
- The password hash is old
- The Kerberos encryption keys are old
- The Key Version Number (KVNO) may no longer match what the KDC expects
So the KDC refuses to issue a TGT.
Changing the password forces AD to:
- Generate new Kerberos keys
- Update KVNO
- Sync the object across domain controllers
…and Kerberos starts working again.
✅ How to Fix It
✅ 1. Change the user’s password
This immediately regenerates Kerberos keys and resolves the issue.
✅ 2. If you cannot change the password
You can force a key regeneration using:
Set-ADAccountPassword -Identity username -Resetor
ksetup /setcomputerpassword…but realistically, a password reset is the cleanest fix.
✅ How to Prevent This in the Future
If you frequently restore AD objects, consider:
✅ Use authoritative restore only when needed
Non-authoritative restores can cause replication mismatches.
✅ Avoid restoring very old AD user versions
The older the backup, the more likely Kerberos keys will be stale.
✅ Use Veeam’s AD Explorer carefully
It restores the object exactly as it was — including outdated Kerberos metadata.
+21It appears this is the case with having to change the password to get Kerberos tickets working. Will try to dig up more information but got this from a quick Google search.
+21Hi
You may want to confirm with Veeam Support this is “normal” behavior for AD restores...just to make sure.
Best.
+21So I did some more digging with Gemini and it seems that the Kerberos ticket for the user is based on the password so when you restore a user if this is out of sync with the Domain Controllers then resetting the password is the best course of action. There are other options to reset the Kerberos Ticket for a user as noted below.
🔍 Why Kerberos Breaks After Restoring an AD User
When you restore an Active Directory user object from backup, Veeam brings back:
- The old password hash
- The old Kerberos keys (derived from the password)
- The old timestamps (like
pwdLastSet,lastLogonTimestamp, etc.)Kerberos relies heavily on cryptographic keys derived from the user’s password. If the restored object’s keys are out of sync with what the domain controllers expect, the user can authenticate via NTLM but Kerberos ticket creation fails.
This is exactly what the community report describes:
“The user could logon into computers, but he wouldn’t get any kerberos tickets. Only after a password change the behavior was completely normal.” Veeam Community Resource Hub
✅ Root Cause
Kerberos keys are generated from:
- The user’s password
- The salt (usually username + domain)
- Timestamps
When you restore an older version of the user object:
- The password hash is old
- The Kerberos encryption keys are old
- The Key Version Number (KVNO) may no longer match what the KDC expects
So the KDC refuses to issue a TGT.
Changing the password forces AD to:
- Generate new Kerberos keys
- Update KVNO
- Sync the object across domain controllers
…and Kerberos starts working again.
✅ How to Fix It
✅ 1. Change the user’s password
This immediately regenerates Kerberos keys and resolves the issue.
✅ 2. If you cannot change the password
You can force a key regeneration using:
Set-ADAccountPassword -Identity username -Resetor
ksetup /setcomputerpassword…but realistically, a password reset is the cleanest fix.
✅ How to Prevent This in the Future
If you frequently restore AD objects, consider:
✅ Use authoritative restore only when needed
Non-authoritative restores can cause replication mismatches.
✅ Avoid restoring very old AD user versions
The older the backup, the more likely Kerberos keys will be stale.
✅ Use Veeam’s AD Explorer carefully
It restores the object exactly as it was — including outdated Kerberos metadata.
+21Thanks for the detailed information, this is very helpful.
Not a problem. Glad to have helped out and hopefully restore are smoother now.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
