Users can use the same credentials for on-premises and cloud-based services with Seamless SSO. There is no need for recurring prompts to enter credentials between services. The necessary data are automatically synced between Active Directory and Azure Active Directory.
When configuring Seamless SSO, the computer account “AZUREADSSOACC” is created. For security reasons, the Kerberos encryption key for this account should be rolled over every 30 days.
This tutorial describes how to manually roll over the Kerberos decryption key every 30 days.
Prerequisites and Licensing
No paid license is required for the feature “Seamless SSO”.
It is sufficient if Azure Active Directory is licensed with “Azure AD Free”.
Situation
For security reasons, Microsoft recommends to roll over the Kerberos keys of the computer account “AZUREADSSOACC “every 30 days. The Azure Portal (https://portal.azure.com) shows a warning under Azure Active Directory > Azure AD Connect > Connect Sync when the Kerberos decryption key roll over should be renewed.
When configuring Seamless SSO with Azure AD Connect, the computer account “AZUREADSSOACC” is created in the on-premises Active Directory.
Perform Kerberos Key Rollover with PowerShell
Before performing the Kerberos key rollover, PowerShell can be used to check the current status of the configuration. In particular, that no active error messages are present.
In the Windows PowerShell ISE, start the following script as an administrator and use an global administrator to sign in when prompted.
|
1 2 3 4 5 |
cd "$env:programfiles\Microsoft Azure Active Directory Connect" Import-Module .\AzureADSSO.psd1 New-AzureADSSOAuthenticationContext Get-AzureADSSOStatus | ConvertFrom-Json |
When the status shows no errors, the Kerberos decryption key rollover can be performed with the following PowerShell script.
When prompted for credentials, an Enterprise Administrator from the local Active Directory is required. Sign in with SamAccountName format, e.g. Domain\username.
|
1 2 |
$creds = Get-Credential Update-AzureADSSOForest -OnPremCredentials $creds |
Check Kerberos roll over
The verification of the successful roll over of the Kerberos decryption key is performed as follows:
Check PasswordLastSet
The timestamp for the PasswordLastSet attribute of the “AZUREADSSOACC” computer account must match the time when the renewal took place.
|
1 |
Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet |
Event viewer
In the event viewer of the domain controller, the following two entries are displayed in the security log:
EventID 4724 an Attempt was made to reset an account’s password
EventID 4724 an Attempt was made to reset an account’s password
EventID 4742 a computer account was changed
Azure Portal
Warning under Active Directory > Azure AD Connect > Connect Sync is no longer shown.
Status and timestamp of key creation is updated in Azure Portal.
Follow me on LinkedIn and get informed about my latest posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
