Users can use the same credentials for on-premises and cloud-based services with Seamless SSO. There is no need for recurring prompts to enter credentials between services. The necessary data are automatically synced between Active Directory and Azure Active Directory.

When configuring Seamless SSO, the computer account “AZUREADSSOACC” is created. For security reasons, the Kerberos encryption key for this account should be rolled over every 30 days.

This tutorial describes how to manually roll over the Kerberos decryption key every 30 days.

Prerequisites and Licensing

No paid license is required for the feature “Seamless SSO”.
It is sufficient if Azure Active Directory is licensed with “Azure AD Free”.

Situation

For security reasons, Microsoft recommends to roll over the Kerberos keys of the computer account “AZUREADSSOACC “every 30 days. The Azure Portal (https://portal.azure.com) shows a warning under Azure Active Directory > Azure AD Connect > Connect Sync when the Kerberos decryption key roll over should be renewed.

Roll over kerbers decryption key - Azure AD Connect
Roll over kerbers decryption key - Seamless single sign on

When configuring Seamless SSO with Azure AD Connect, the computer account “AZUREADSSOACC” is created in the on-premises Active Directory.

Perform Kerberos Key Rollover with PowerShell

Before performing the Kerberos key rollover, PowerShell can be used to check the current status of the configuration. In particular, that no active error messages are present.

In the Windows PowerShell ISE, start the following script as an administrator and use an global administrator to sign in when prompted.

When the status shows no errors, the Kerberos decryption key rollover can be performed with the following PowerShell script.
When prompted for credentials, an Enterprise Administrator from the local Active Directory is required. Sign in with SamAccountName format, e.g. Domain\username.

Check Kerberos roll over

The verification of the successful roll over of the Kerberos decryption key is performed as follows:

Check PasswordLastSet

The timestamp for the PasswordLastSet attribute of the “AZUREADSSOACC” computer account must match the time when the renewal took place.

Event viewer

In the event viewer of the domain controller, the following two entries are displayed in the security log:

EventID 4724 an Attempt was made to reset an account’s password

EventID 4724 an Attempt was made to reset an account’s password

EventID 4742 a computer account was changed

Azure Portal

Warning under Active Directory > Azure AD Connect > Connect Sync is no longer shown.

Status and timestamp of key creation is updated in Azure Portal.


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn