Automatically roll over the Kerberos decryption key Azure AD Connect SSO
Its’ highly recommended to roll over the kerberos key for Azure AD Connect SSO computer account every 30 days. There is no feature to enable auto roll over of this key.
You will notice this warning in the Azure portal if the key hasn’t been rolled over recently.
I’ve used this Blog article to secure the password on the server for the service account:
http://www.sameie.com/2017/10/05/create-hashed-password-file-for-powershell-use/
I’ve configured a Powershell script that runs as a scheduled task on the server where Azure AD Connect is Installed.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# Requirements: # Microsoft Online Services Sign-In Assistant. # 64-bit Azure Active Directory module for Windows PowerShell. $CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString $CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted) $OnpremUser = 'DOMAIN\service_account' $OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString $OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted) Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1' New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred Update-AzureADSSOForest -OnPremCredentials $OnpremCred |
Output:
Disclaimer: All scripts and references on this blog are offered “as is” with no warranty. These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.
Hello
Can you confirm what was the minimum permissions you supplied to the service account
Looks like it needs Global Admin
Hi,
Yes, ref https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq
It needs to be a Tenant Global Administrator.
Azure Team is working on getting this automated.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33773926-automate-seamless-sso-kerberos-decryption-key-roll