Automatically roll over the Kerberos decryption key Azure AD Connect SSO

Its’ highly recommended to roll over the kerberos key for Azure AD Connect SSO computer account every 30 days. There is no feature to enable auto roll over of this key.

You will notice this warning in the Azure portal if the key hasn’t been rolled over recently.

I’ve used this Blog article to secure the password on the server for the service account:
http://www.sameie.com/2017/10/05/create-hashed-password-file-for-powershell-use/

I’ve configured a Powershell script that runs as a scheduled task on the server where Azure AD Connect is Installed.

Output:

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty.  These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.