The regular roll over of the Kerberos decryption key is crucial to ensure the security and integrity of seamless Single Sign-On (SSO) in hybrid IT environments. Microsoft recommends rolling over this key every 30 days to close potential security gaps and ensure smooth integration between on-premises Active Directory and Microsoft Entra ID. This process can be automated to minimize administrative effort and ensure continuous security.

The blog post demonstrates how to automate the roll over of the Kerberos decryption key using PowerShell and Task Scheduler.

Prerequisites and Licensing

License

For the Seamless Single Sign-On (SSO) feature and the roll over of the Kerberos decryption key, no license is required. A license starting from Microsoft Entra ID Free is sufficient, and this is included in every Microsoft tenant.

Roles

Microsoft Entra ID

A Microsoft Entra ID user account with the Microsoft Entra role of Global Administrator or Hybrid Identity Administrator, used exclusively for the roll over of the Kerberos decryption key. The security of this user account should be managed through Microsoft Entra Conditional Access.

Active Directory

A user account in the local Active Directory with Enterprise Administrator or Domain Administrator permissions.

Windows Server

A Windows Server with domain access and Microsoft Entra Connect installed to execute the PowerShell script.

Is it time to roll over the Kerberos decryption key?

In the Microsoft Entra Admin Center, it is easy to see whether the Kerberos decryption key has been rolled over within the recommended 30 days or if a roll over is due.

Sign in to Microsoft Entra admin center (https://entra.microsoft.com) and click on Identity > Hybrid management > Microsoft Entra Connect > Connect Sync.

There is a warning associated with Seamless single sign-on if the Kerberos decryption key needs to be rolled over.

Preparing PowerShell Script

The roll over of the Kerberos decryption key is performed automatically by a PowerShell script.

Securely Storing Credentials with PowerShell

The PowerShell script runs in non-interactive mode and requires access to the credentials. Passwords are never stored in plain text. Instead, the password is encrypted using the Export-Clixml cmdlet. Export-Clixml uses the Windows Data Protectio API to encrypt the credentials, ensuring that only the user account that created the encryption can decrypt the credentials. Additionally, the encrypted file can only be decrypted on the device where it was created.

Storing Credentials for Active Directory User Account

Start PowerShell on Windows Server.
Run the Get-Credential cmdlet to store the Active Directory user account credentials in the $ADCreds variable.

Enter the credentials of the Active Directory user account with Enterprise Administrator or Domain Administrator privileges previously used to sign in to the Windows Server in the format sAMAccountName (Domain\Username).

Encrypt the credentials using the PowerShell cmdlet Export-Clixml and save them to the file C:\Scripts\Credentials\ADCreds.xml.

The created file ADCreds.xml now contains the encrypted credentials, which can only be decrypted by the device and user that created them.

Storing Credentials for Microsoft Entra ID User Account

Start PowerShell on Windows Server.
Run the Get-Credential cmdlet to store the Active Directory user account credentials in the $EntraCreds variable.

Enter the credentials of the Microsoft Entra ID user account with the role of Global Administrator or Hybrid Identity Administrator.
The security of this user account should be managed through Microsoft Entra Conditional Access.

Encrypt the credentials using the PowerShell cmdlet Export-Clixml and save them to the file C:\Scripts\Credentials\EntraCreds.xml.

The created file EntraCreds.xml now contains the encrypted credentials, which can only be decrypted by the device and user that created them.

Roll over Kerberos decryption key

Save the following PowerShell script as C:\Scripts\KerberosKeyRollover.ps1. The script decrypts the credentials and rolls over the Kerberos decryption key. The output is written in the file C:\Scripts\KerberosKeyRollover.txt. Each time the PowerShell script is executed, this file is overwritten.

Check PowerShell Script

To verify functionality, manually run the PowerShell script from C:\Scripts\KerberosKeyRollover.ps1. The script should execute without any errors or prompts for credentials and display the message The operation completed successfully at the end.

Task Scheduler

The Task Scheduler automates the roll over of the Kerberos decryption key, reducing administrative overhead while simultaneously enhancing security.

Sign in to the Windows Server > start Task Scheduler and click Create Basic Task

Enter a name for the task, e.g., Kerberos decryption key roll over

Run the task weekly

  1. Select the start time
  2. Set the recurrence interval to 4 weeks to ensure the task runs within 30 days
  3. Choose the day of the week for execution according to your needs

Under Actions, select Start a program

  1. Program/script: powershell.exe
  2. Arguments: -File “C:\Scripts\KerberosKeyRollover.ps1”
  3. Start in: C:\Scripts\

Select the option Open the Properties dialog for this task when I click Finish (1) and click Finish (2)

Select the option Run whether user is logged on or not (1) and Click OK (2)

The new task for rolling over the Kerberos decryption key will be displayed in the Task Scheduler.

Functionality Check

The successful roll over of the Kerberos decryption key can be verified at the following locations.

Active Directory Attribut PasswordLastSet

The timestamp of the PasswordLastSet attribute for the computer account AZUREADSSOACC must match the time of the roll over performed by the Task Scheduler.

Event Viewer

The following entries appear in the Security log of the Windows Server Event Viewer:

EventID 4724 an Attempt was made to reset an account’s password

EventID 4742 a computer account was changed

Microsoft Entra Admin Center

Sign in to Microsoft Entra admin center (https://entra.microsoft.com) and select Seamless single sign-on under Identity > Hybrid management > Microsoft Entra Connect > Connect Sync.

The key creation date matches the time of the last execution of the Task Scheduler.


Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee