AADconnect / Office 365 / Seamless Sign On / SSO

Seamless Sign On, Kerberos roll over–Wait what??

Mark Gerlow7 Comments

UPDATE: So happy to see that Microsoft has heard our prayers. They are working on a solution to automate the rollover in Azure. Read more about it HERE.

 

So, you’ve installed Seamless Sign On, and its been running awesome, by chance you logon to your Azure tenant, just nosy browsing around, improving your Azure skills, and suddenly you find this……. Kerberos Roll Over, wait what? erhm… What?….. Confused smile

image

First of, when I saw this, I thought it was a joke, but after thinking it over, it made sense….in a weird kind of way.

First of, when you install AADConnect and enable Seamless Sign On and Single Sign On, you get an extra auto generated Computer object in your AD called AZUAREADSSOACC.

image

This is the object in charge of handling / generating the shared Kerberos key needed between local AD and Azure AD. (best leave that one alone Smile with tongue out)

Since this is a “dead, virtual” object, it is not able to create new keys automatically, so for at best practice, MS recommends to do a manual “Roll-Over” every 30 days. I will explain how to do this in a short while, first of, cast your vote HERE, for the feature of AADConnect to do automatic Roll-Overs….Awesome, Thanks.

First of, connect your Powershell ISE to your Tenant.

(You got to know that one by now Smile)

Next you run these simple Cmdlets. (NOTE: These Cmdlets and the text is copied from the official MS documentation. Explanations where great, so no need to convert them )

(I’m really sorry, but for some reason i didn’t get the steps in, where you have to import the powershell script AzureADSSO.psd1. This script has the CMDlets you need.)

You have to run this from the server, where you run AADConnect. So, dive down to the install dir, and import this

cd “C:\Program Files\Microsoft Azure Active Directory Connect”

Import-Module .\AzureADSSO.psd1

New-AzureADSSOAuthenticationContext

#This command should give you a popup to enter your tenant’s Global Administrator credentials.

Get-AzureADSSOStatus | fl

#This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.

#Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on

$O365Cred = Get-Credential

# When prompted, enter the Domain Administrator credentials for the intended AD forest.

Update-AzureADSSOForest -OnPremCredentials $O365Cred

#This command updates the Kerberos decryption key for the AZUREADSSOACC computer account in this specific AD forest and updates it in Azure AD.

#Repeat the preceding steps for each AD forest that you’ve set up the feature on

And you’re done…. AADConnect welcomes you back in 30 days Smile. Seriously, save it in a .psd1 file, for easy running, next time.

THATS why I use PowerShell ISE for everything (and the fact that my memory is really bad Open-mouthed smile)

I’ve seen some bloggers doing articles where they save Global Tenant admin’s and corresponding passwords in text files, encrypted, not encrypted and so on, in an attempt to automate this. Needles to say, this is a MAJOR SECURITY RISK, and cannot be recommended. Better yet, go cast your vote, so that MS puts this feature inside AADConnect.

Until next time, happy cloud computing Smile

7 thoughts on “Seamless Sign On, Kerberos roll over–Wait what??

  2. To be honest with you. I get stuck here as I don’t know what to do anymore.
    Browse to the %programfiles%\Microsoft Azure Active Directory Connect folder. (Unable to find this File)

    Import the Seamless SSO PowerShell module by using this command: Import-Module .\AzureADSSO.psd1. (I can’t even figure out where this is located as it’s return error via PowerShell)

    Thanks for your assistance.

    Peter

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.