How can we improve Azure Active Directory?

← Azure Active Directory

Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.

This is obviously not ideal. We currently having to perform the rollover task manually each month.

Please look at how this process could be improved for automation.

534 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

NL shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  Azure AD Team responded  · 

Hi everyone,
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!

Jairo Cadena
Principal Program Manager
Microsoft Identity

Show previous admin responses (2)

76 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Mike commented  ·   ·  Flag as inappropriate

    cool that you're still working on this, just checking in again because I keep seeing the warning icon when I look at AD connect and there's never enough time to do it manually.

  • Sam commented  ·   ·  Flag as inappropriate

    It is March 2020 now and there is still no official method to automatically rollover the decryption key??

  • Thomas Oeser commented  ·   ·  Flag as inappropriate

    Hello everyone, in order to avoid domain admin permissions and use a local ad service account for the kerberos key rollover this account needs write and reset password permissions on the AZUREADSSOACC computer object. Then it is important to use the command "Update-AzureADSSOForest -OnPremCredentials $OnpremCred -PreserveCustomPermissionsOnDesktopSsoAccount" in your scripts. Note that the parameter -PreserveCustomPermissionsOnDesktopSsoAccount is important here because this actually prevents modifying the ACLs on the computer object which requires domain admin permissions.

  • Hbaele commented  ·   ·  Flag as inappropriate

    Would be nice to have a way of having a kind of 'custom password' introduced so it can be re-written multiple times in different tenants thus making Seamless Sign-On multi tenant available

  • Roger commented  ·   ·  Flag as inappropriate

    Run the following script on your ADSync box as a scheduled task:

    I used this blog entry : https://joachimloe.com/2018/02/23/automatically-roll-over-the-kerberos-decryption-key-azure-ad-connect-sso/ to build an updated script.

    # Microsoft Online Services Sign-In Assistant.
    # 64-bit Azure Active Directory module for Windows PowerShell.

    $logfile = "C:\scripts\Logs\kerberos_rollover_" + (Get-Date).ToString("yyyy-MM-dd") + ".log"
    $smtpServer = "mail"
    Start-Transcript -Path $logfile
    $CloudUser = 'tenantadmin@domain.onmicrosoft.com'
    $CloudEncrypted = Get-Content "C:\scripts\azure_enc_pw.txt" | ConvertTo-SecureString
    $CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
    $OnpremUser = 'DOMAIN\ADMINUSER'
    $OnpremEncrypted = Get-Content "C:\scripts\local_enc_pw.txt" | ConvertTo-SecureString
    $OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)

    Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
    New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
    Update-AzureADSSOForest -OnPremCredentials $OnpremCred
    Stop-Transcript

    $body = New-Object System.Text.StringBuilder
    [void] $body.AppendLine("<pre>");
    foreach($line in $log)
    {
    [void] $body.AppendLine($line.ToString())
    }
    [void] $body.AppendLine("</pre>");

    $subject = 'Kerberos Rollover results for ' + (Get-Date).ToString("yyyy-MM-dd")
    Send-MailMessage -From 'SOURCE MACHINE <noreply_source@mydomain.com' -To 'People Who Need to know <admins@mydomain.com>' -Subject $subject -Body $body -SmtpServer myinternal.smtp.server

    When you build the encrypted password files, it's important to do so as your TASK RUNNER ACCOUNT - Powershell encryption ties to the user.

    I go a step further and remove all permissions for everyone, and leave only SYSTEM and the task runner account.

    Create a scheduled task to run on your desired schedule (first of the month, last of the month... other)

    Program - powershell.exe
    Arguments - -ExecutionPolicy Bypass c:\scripts\roll_over_kerberos.ps1 -RunType $true

    That should automatically run the rollover and email you the results afterward.

  • Gina commented  ·   ·  Flag as inappropriate

    I've created the steps in Azure based on that link mentioned below: https://www.insentragroup.com/au/insights/geek-speak/cloud-and-modern-data-center/azure-ad-seamless-sso-kerberos-key-using-azure-automation-and-hybrid-runbook-worker-part-2-of-2/

    but I still can't get it to work unless my on premise account is a domain admin (I've added permissions to the computer object, added it as admin on the ad connect box, added it to run as a service, run as a batch job. No luck with any of that until I made it domain admin).

    I was hoping MS would have a solution by now!

  • Anonymous commented  ·   ·  Flag as inappropriate

    In the mean time, have look at https://www.insentra.com.au/neil-hoffmans-rotating-the-azure-ad-seamless-sso-kerberos-key-manually-part-2-of-2/
    (I did not try this myself, so you are on your own), but it uses a regular on prem account (no domain admin) with just the rights on the AZUREADSSOACC computer account) and a global administrator account, because that's what you need (until we can create AAD custom roles?). But the credentials are stored securely using the Azure Automation Credential Assets feature.

← Previous 1 3 4

Azure Active Directory: Azure AD Connect

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice