Automatically roll over the Kerberos decryption key Azure AD Connect SSO

Joachim

February 23, 2018

AzureAD

Its’ highly recommended to roll over the kerberos key for Azure AD Connect SSO computer account every 30 days. There is no feature to enable auto roll over of this key.

You will notice this warning in the Azure portal if the key hasn’t been rolled over recently.

I’ve used this Blog article to secure the password on the server for the service account:
http://www.sameie.com/2017/10/05/create-hashed-password-file-for-powershell-use/

I’ve configured a Powershell script that runs as a scheduled task on the server where Azure AD Connect is Installed.

# Requirements:
# Microsoft Online Services Sign-In Assistant.
# 64-bit Azure Active Directory module for Windows PowerShell.

$CloudUser = 'service_account@domain.com'
$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
$OnpremUser = 'DOMAIN\service_account'
$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
Update-AzureADSSOForest -OnPremCredentials $OnpremCred

# Requirements:

# Microsoft Online Services Sign-In Assistant.

# 64-bit Azure Active Directory module for Windows PowerShell.

$CloudUser = '[email protected]'

$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString

$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)

$OnpremUser = 'DOMAIN\service_account'

$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString

$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'

New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred

Update-AzureADSSOForest -OnPremCredentials $OnpremCred

Output:

Disclaimer: All scripts and references on this blog are offered “as is” with no warranty. These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.

Azure AD Connect, Kerberos, SSO

2 Comments

chris says:

August 3, 2018 at 11:06

Hello

Can you confirm what was the minimum permissions you supplied to the service account

Looks like it needs Global Admin

Reply
1. Joachim says:
  
  August 7, 2018 at 07:22
  
  Hi,
  
  Yes, ref https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq
  It needs to be a Tenant Global Administrator.
  
  Azure Team is working on getting this automated.
  https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33773926-automate-seamless-sso-kerberos-decryption-key-roll
  
  Reply

Joachim Løe

Automatically roll over the Kerberos decryption key Azure AD Connect SSO

2 Comments

Leave a Reply to chris Cancel reply