UPDATE: So happy to see that Microsoft has heard our prayers. They are working on a solution to automate the rollover in Azure. Read more about it HERE.
So, you’ve installed Seamless Sign On, and its been running awesome, by chance you logon to your Azure tenant, just nosy browsing around, improving your Azure skills, and suddenly you find this……. Kerberos Roll Over, wait what? erhm… What?…..
First of, when I saw this, I thought it was a joke, but after thinking it over, it made sense….in a weird kind of way.
First of, when you install AADConnect and enable Seamless Sign On and Single Sign On, you get an extra auto generated Computer object in your AD called AZUAREADSSOACC.
This is the object in charge of handling / generating the shared Kerberos key needed between local AD and Azure AD. (best leave that one alone )
Since this is a “dead, virtual” object, it is not able to create new keys automatically, so for at best practice, MS recommends to do a manual “Roll-Over” every 30 days. I will explain how to do this in a short while, first of, cast your vote HERE, for the feature of AADConnect to do automatic Roll-Overs….Awesome, Thanks.
First of, connect your Powershell ISE to your Tenant.
(You got to know that one by now )
Next you run these simple Cmdlets. (NOTE: These Cmdlets and the text is copied from the official MS documentation. Explanations where great, so no need to convert them )
(I’m really sorry, but for some reason i didn’t get the steps in, where you have to import the powershell script AzureADSSO.psd1. This script has the CMDlets you need.)
You have to run this from the server, where you run AADConnect. So, dive down to the install dir, and import this
cd “C:\Program Files\Microsoft Azure Active Directory Connect”
#This command should give you a popup to enter your tenant’s Global Administrator credentials.
Get-AzureADSSOStatus | fl
#This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.
#Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on
$O365Cred = Get-Credential
# When prompted, enter the Domain Administrator credentials for the intended AD forest.
Update-AzureADSSOForest -OnPremCredentials $O365Cred
#This command updates the Kerberos decryption key for the AZUREADSSOACC computer account in this specific AD forest and updates it in Azure AD.
#Repeat the preceding steps for each AD forest that you’ve set up the feature on
And you’re done…. AADConnect welcomes you back in 30 days . Seriously, save it in a .psd1 file, for easy running, next time.
THATS why I use PowerShell ISE for everything (and the fact that my memory is really bad )
I’ve seen some bloggers doing articles where they save Global Tenant admin’s and corresponding passwords in text files, encrypted, not encrypted and so on, in an attempt to automate this. Needles to say, this is a MAJOR SECURITY RISK, and cannot be recommended. Better yet, go cast your vote, so that MS puts this feature inside AADConnect.
Until next time, happy cloud computing