Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC
Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.
This is obviously not ideal. We currently having to perform the rollover task manually each month.
Please look at how this process could be improved for automation.
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!
Principal Program Manager
Kent Calero commented
#security, we need this guys, it's now May!
It's now April 2020...
It is March 2020 now and there is still no official method to automatically rollover the decryption key??
Thomas Oeser commented
Hello everyone, in order to avoid domain admin permissions and use a local ad service account for the kerberos key rollover this account needs write and reset password permissions on the AZUREADSSOACC computer object. Then it is important to use the command "Update-AzureADSSOForest -OnPremCredentials $OnpremCred -PreserveCustomPermissionsOnDesktopSsoAccount" in your scripts. Note that the parameter -PreserveCustomPermissionsOnDesktopSsoAccount is important here because this actually prevents modifying the ACLs on the computer object which requires domain admin permissions.
Would be nice to have a way of having a kind of 'custom password' introduced so it can be re-written multiple times in different tenants thus making Seamless Sign-On multi tenant available
Run the following script on your ADSync box as a scheduled task:
I used this blog entry : https://joachimloe.com/2018/02/23/automatically-roll-over-the-kerberos-decryption-key-azure-ad-connect-sso/ to build an updated script.
# Microsoft Online Services Sign-In Assistant.
# 64-bit Azure Active Directory module for Windows PowerShell.
$logfile = "C:\scripts\Logs\kerberos_rollover_" + (Get-Date).ToString("yyyy-MM-dd") + ".log"
$smtpServer = "mail"
Start-Transcript -Path $logfile
$CloudUser = 'firstname.lastname@example.org'
$CloudEncrypted = Get-Content "C:\scripts\azure_enc_pw.txt" | ConvertTo-SecureString
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
$OnpremUser = 'DOMAIN\ADMINUSER'
$OnpremEncrypted = Get-Content "C:\scripts\local_enc_pw.txt" | ConvertTo-SecureString
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
Update-AzureADSSOForest -OnPremCredentials $OnpremCred
$body = New-Object System.Text.StringBuilder
foreach($line in $log)
$subject = 'Kerberos Rollover results for ' + (Get-Date).ToString("yyyy-MM-dd")
Send-MailMessage -From 'SOURCE MACHINE <email@example.com' -To 'People Who Need to know <firstname.lastname@example.org>' -Subject $subject -Body $body -SmtpServer myinternal.smtp.server
When you build the encrypted password files, it's important to do so as your TASK RUNNER ACCOUNT - Powershell encryption ties to the user.
I go a step further and remove all permissions for everyone, and leave only SYSTEM and the task runner account.
Create a scheduled task to run on your desired schedule (first of the month, last of the month... other)
Program - powershell.exe
Arguments - -ExecutionPolicy Bypass c:\scripts\roll_over_kerberos.ps1 -RunType $true
That should automatically run the rollover and email you the results afterward.
Jeán Hubbard commented
Almost two years since this request was put in........C'mon MS....
I've created the steps in Azure based on that link mentioned below: https://www.insentragroup.com/au/insights/geek-speak/cloud-and-modern-data-center/azure-ad-seamless-sso-kerberos-key-using-azure-automation-and-hybrid-runbook-worker-part-2-of-2/
but I still can't get it to work unless my on premise account is a domain admin (I've added permissions to the computer object, added it as admin on the ad connect box, added it to run as a service, run as a batch job. No luck with any of that until I made it domain admin).
I was hoping MS would have a solution by now!
James Macey commented
It's been almost 4 months since this was "Started".
Please can we have an update.
D. van Boven commented
Is there any news regarding the Kerberos rollover?
Matthew Booker commented
This feature is desperately needed.
MCS UK Infra commented
Please provide an update on automating this kerberos renewal process.
am fost odata conectat pe tweet
Microsoft says "La de da! Did someone ask for something?"
In the mean time, have look at https://www.insentra.com.au/neil-hoffmans-rotating-the-azure-ad-seamless-sso-kerberos-key-manually-part-2-of-2/
(I did not try this myself, so you are on your own), but it uses a regular on prem account (no domain admin) with just the rights on the AZUREADSSOACC computer account) and a global administrator account, because that's what you need (until we can create AAD custom roles?). But the credentials are stored securely using the Azure Automation Credential Assets feature.
Voted - this is definitely needed
Any updates on the automation?
Automate Seamless SSO needed feature. When will it be available to the "public"?
+1 asap please. We shouldn't have to automate it via an unsecured GA account.
Paweł Zieliński commented
This should be automatic. Most Azure users are not even aware it is a security issue.