06 March 2020

Roll Over Kerberos Decryption Key - Untill the uservoice feature gets implemented

Every 30 days your are required by Microsoft to "rollover" the Pass-throug Authentication Kerberos key for your tenant.
In the near future you don’t need to perform any Powershell or scripting referring to Microsoft user voice “We are currently working on an approach that will allow Tenant Admins to do key rollover from the Azure AD portal; without the need for PowerShell or scripting”

But until then we do this:

On your AzureADConnect machine go to:
PS C:\> cd '.\Program Files\Microsoft Azure Active Directory Connect'
Then import:
PS C:\Program Files\Microsoft Azure Active Directory Connect> Import-Module .\AzureADSSO.psd1

Run the commandlet New-AzureADSSOAuthenticationContext:
PS C:\Program Files\Microsoft Azure Active Directory Connect> New-AzureADSSOAuthenticationContext
Check the current status:
PS C:\Program Files\Microsoft Azure Active Directory Connect> Get-AzureADSSOStatus
{"Enable":true,"Exists":true,"Domains":["domain.lan"],"IsSuccessful":true,"ErrorMessage":""}
Then enter your on-premises domain administrator credentials:
PS C:\Program Files\Microsoft Azure Active Directory Connect> $creds = Get-Credential
Then run the command to rollover the key's Update-AzureADSSOForest -OnPremCredentials $creds:
PS C:\Program Files\Microsoft Azure Active Directory Connect> Update-AzureADSSOForest -OnPremCredentials $creds
The output should look like this:
[12:10:32.685] [  5] [INFORMATIONAL] UpdateComputerAccount: Locating SSO computer account in DOMAIN...
[12:10:32.701] [  5] [INFORMATIONAL] GetDesktopSsoComputerAccount: Searching in global catalog(forest) and DOMAIN for co
mputer account AZUREADSSOACC
[12:10:33.232] [  5] [INFORMATIONAL] TrySearchAccountUnderGlobalCatalog: Object was found in global catalog(forest), hen
ce skipping DOMAIN search
[12:10:33.232] [  5] [INFORMATIONAL] UpdateComputerAccount: Found SSO computer account at CN=AZUREADSSOACC,CN=Computers,
DC=domain,DC=lan. Updating its properties...
[12:10:33.232] [  5] [INFORMATIONAL] UpdateComputerAccount: Granting full control to account admins and enterprise admin
s for computer account CN=AZUREADSSOACC,CN=Computers,DC=domain,DC=lan...
[12:10:33.907] [  5] [INFORMATIONAL] UpdateComputerAccount: Successfully updated SSO computer account properties.
The operation completed successfully
PS C:\Program Files\Microsoft Azure Active Directory Connect>

No comments:

Post a Comment