The regular roll over of the Kerberos decryption key is crucial to ensure the security and integrity of seamless Single Sign-On (SSO) in hybrid IT environments. Microsoft recommends rolling over this key every 30 days to close potential security gaps and ensure smooth integration between on-premises Active Directory and Microsoft Entra ID. This process can be automated to minimize administrative effort and ensure continuous security.
The blog post demonstrates how to automate the roll over of the Kerberos decryption key using PowerShell and Task Scheduler.
Prerequisites and Licensing
License
For the Seamless Single Sign-On (SSO) feature and the roll over of the Kerberos decryption key, no license is required. A license starting from Microsoft Entra ID Free is sufficient, and this is included in every Microsoft tenant.
Roles
Microsoft Entra ID
A Microsoft Entra ID user account with the Microsoft Entra role of Global Administrator or Hybrid Identity Administrator, used exclusively for the roll over of the Kerberos decryption key. The security of this user account should be managed through Microsoft Entra Conditional Access.
Active Directory
A user account in the local Active Directory with Enterprise Administrator or Domain Administrator permissions.
Windows Server
A Windows Server with domain access and Microsoft Entra Connect installed to execute the PowerShell script.
Is it time to roll over the Kerberos decryption key?
In the Microsoft Entra Admin Center, it is easy to see whether the Kerberos decryption key has been rolled over within the recommended 30 days or if a roll over is due.
Sign in to Microsoft Entra admin center (https://entra.microsoft.com) and click on Identity > Hybrid management > Microsoft Entra Connect > Connect Sync.
There is a warning associated with Seamless single sign-on if the Kerberos decryption key needs to be rolled over.
Preparing PowerShell Script
The roll over of the Kerberos decryption key is performed automatically by a PowerShell script.
Securely Storing Credentials with PowerShell
The PowerShell script runs in non-interactive mode and requires access to the credentials. Passwords are never stored in plain text. Instead, the password is encrypted using the Export-Clixml cmdlet. Export-Clixml uses the Windows Data Protectio API to encrypt the credentials, ensuring that only the user account that created the encryption can decrypt the credentials. Additionally, the encrypted file can only be decrypted on the device where it was created.
Storing Credentials for Active Directory User Account
Start PowerShell on Windows Server.
Run the Get-Credential cmdlet to store the Active Directory user account credentials in the $ADCreds variable.
1 | $ADCreds = Get-Credential |
Enter the credentials of the Active Directory user account with Enterprise Administrator or Domain Administrator privileges previously used to sign in to the Windows Server in the format sAMAccountName (Domain\Username).
Encrypt the credentials using the PowerShell cmdlet Export-Clixml and save them to the file C:\Scripts\Credentials\ADCreds.xml.
1 | $ADCreds | Export-CliXml -Path "C:\Scripts\Credentials\ADCreds.xml" |
The created file ADCreds.xml now contains the encrypted credentials, which can only be decrypted by the device and user that created them.
Storing Credentials for Microsoft Entra ID User Account
Start PowerShell on Windows Server.
Run the Get-Credential cmdlet to store the Active Directory user account credentials in the $EntraCreds variable.
1 | $EntraCreds = Get-Credential |
Enter the credentials of the Microsoft Entra ID user account with the role of Global Administrator or Hybrid Identity Administrator.
The security of this user account should be managed through Microsoft Entra Conditional Access.
Encrypt the credentials using the PowerShell cmdlet Export-Clixml and save them to the file C:\Scripts\Credentials\EntraCreds.xml.
1 | $EntraCreds | Export-CliXml -Path "C:\Scripts\Credentials\EntraCreds.xml" |
The created file EntraCreds.xml now contains the encrypted credentials, which can only be decrypted by the device and user that created them.
Roll over Kerberos decryption key
Save the following PowerShell script as C:\Scripts\KerberosKeyRollover.ps1. The script decrypts the credentials and rolls over the Kerberos decryption key. The output is written in the file C:\Scripts\KerberosKeyRollover.txt. Each time the PowerShell script is executed, this file is overwritten.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # Redirecting output to the file Start-Transcript -Path "C:\Scripts\KerberosKeyRollover.txt" # Retrieving credentials $EntraCreds = Import-CliXml -Path "C:\Scripts\Credentials\EntraCreds.xml" $ADCreds = Import-CliXml -Path "C:\Scripts\Credentials\ADCreds.xml" # Loading AzureADSSO module cd "$env:programfiles\Microsoft Azure Active Directory Connect" Import-Module .\AzureADSSO.psd1 # Roll over Kerberos decryption key New-AzureADSSOAuthenticationContext -CloudCredentials $EntraCreds Update-AzureADSSOForest -OnPremCredentials $ADCreds # Terminating the redirection Stop-Transcript |
Check PowerShell Script
To verify functionality, manually run the PowerShell script from C:\Scripts\KerberosKeyRollover.ps1. The script should execute without any errors or prompts for credentials and display the message The operation completed successfully at the end.
Task Scheduler
The Task Scheduler automates the roll over of the Kerberos decryption key, reducing administrative overhead while simultaneously enhancing security.
Sign in to the Windows Server > start Task Scheduler and click Create Basic Task
Enter a name for the task, e.g., Kerberos decryption key roll over
Run the task weekly
- Select the start time
- Set the recurrence interval to 4 weeks to ensure the task runs within 30 days
- Choose the day of the week for execution according to your needs
Under Actions, select Start a program
- Program/script: powershell.exe
- Arguments: -File “C:\Scripts\KerberosKeyRollover.ps1”
- Start in: C:\Scripts\
Select the option Open the Properties dialog for this task when I click Finish (1) and click Finish (2)
Select the option Run whether user is logged on or not (1) and Click OK (2)
The new task for rolling over the Kerberos decryption key will be displayed in the Task Scheduler.
Functionality Check
The successful roll over of the Kerberos decryption key can be verified at the following locations.
Active Directory Attribut PasswordLastSet
The timestamp of the PasswordLastSet attribute for the computer account AZUREADSSOACC must match the time of the roll over performed by the Task Scheduler.
1 | Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet |
Event Viewer
The following entries appear in the Security log of the Windows Server Event Viewer:
EventID 4724 an Attempt was made to reset an account’s password
EventID 4742 a computer account was changed
Microsoft Entra Admin Center
Sign in to Microsoft Entra admin center (https://entra.microsoft.com) and select Seamless single sign-on under Identity > Hybrid management > Microsoft Entra Connect > Connect Sync.
The key creation date matches the time of the last execution of the Task Scheduler.
Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!