Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC
Currently to automate the Kerberos SSO decryption key rollover for AZUREADSSOACC , we would need to store domain admin and tenant global admin credentials in a script or scheduled task.
This is obviously not ideal. We currently having to perform the rollover task manually each month.
Please look at how this process could be improved for automation.
Thanks for your interest on this feature. This capability is still in the pipeline. The initial estimate was obviously off and we are looking at a new timeline. We are aware of the benefit of having this rollover made automatic and the interest you have on the feature, and that’s how we are looking at it while prioritizing it against other capabilities requests.
Thanks for your patience!
Principal Program Manager
seems its over 2 years and nothing has changed, scripting passwords is not the way for me. I really wonder if this will ever change.
Do you need one year more to deploy it?
Any News on this topic?
Alison King commented
Any update on this?
MCS UK Infra commented
almost 3 years waiting for this
Peter Tenor commented
It's now June 2020...
cool that you're still working on this, just checking in again because I keep seeing the warning icon when I look at AD connect and there's never enough time to do it manually.
Kent Calero commented
#security, we need this guys, it's now May!
It's now April 2020...
It is March 2020 now and there is still no official method to automatically rollover the decryption key??
Thomas Oeser commented
Hello everyone, in order to avoid domain admin permissions and use a local ad service account for the kerberos key rollover this account needs write and reset password permissions on the AZUREADSSOACC computer object. Then it is important to use the command "Update-AzureADSSOForest -OnPremCredentials $OnpremCred -PreserveCustomPermissionsOnDesktopSsoAccount" in your scripts. Note that the parameter -PreserveCustomPermissionsOnDesktopSsoAccount is important here because this actually prevents modifying the ACLs on the computer object which requires domain admin permissions.
Would be nice to have a way of having a kind of 'custom password' introduced so it can be re-written multiple times in different tenants thus making Seamless Sign-On multi tenant available
Run the following script on your ADSync box as a scheduled task:
I used this blog entry : https://joachimloe.com/2018/02/23/automatically-roll-over-the-kerberos-decryption-key-azure-ad-connect-sso/ to build an updated script.
# Microsoft Online Services Sign-In Assistant.
# 64-bit Azure Active Directory module for Windows PowerShell.
$logfile = "C:\scripts\Logs\kerberos_rollover_" + (Get-Date).ToString("yyyy-MM-dd") + ".log"
$smtpServer = "mail"
Start-Transcript -Path $logfile
$CloudUser = 'firstname.lastname@example.org'
$CloudEncrypted = Get-Content "C:\scripts\azure_enc_pw.txt" | ConvertTo-SecureString
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
$OnpremUser = 'DOMAIN\ADMINUSER'
$OnpremEncrypted = Get-Content "C:\scripts\local_enc_pw.txt" | ConvertTo-SecureString
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
Update-AzureADSSOForest -OnPremCredentials $OnpremCred
$body = New-Object System.Text.StringBuilder
foreach($line in $log)
$subject = 'Kerberos Rollover results for ' + (Get-Date).ToString("yyyy-MM-dd")
Send-MailMessage -From 'SOURCE MACHINE <email@example.com' -To 'People Who Need to know <firstname.lastname@example.org>' -Subject $subject -Body $body -SmtpServer myinternal.smtp.server
When you build the encrypted password files, it's important to do so as your TASK RUNNER ACCOUNT - Powershell encryption ties to the user.
I go a step further and remove all permissions for everyone, and leave only SYSTEM and the task runner account.
Create a scheduled task to run on your desired schedule (first of the month, last of the month... other)
Program - powershell.exe
Arguments - -ExecutionPolicy Bypass c:\scripts\roll_over_kerberos.ps1 -RunType $true
That should automatically run the rollover and email you the results afterward.
Jeán Hubbard commented
Almost two years since this request was put in........C'mon MS....
Komoroske, Gina commented
I've created the steps in Azure based on that link mentioned below: https://www.insentragroup.com/au/insights/geek-speak/cloud-and-modern-data-center/azure-ad-seamless-sso-kerberos-key-using-azure-automation-and-hybrid-runbook-worker-part-2-of-2/
but I still can't get it to work unless my on premise account is a domain admin (I've added permissions to the computer object, added it as admin on the ad connect box, added it to run as a service, run as a batch job. No luck with any of that until I made it domain admin).
I was hoping MS would have a solution by now!
James Macey commented
It's been almost 4 months since this was "Started".
Please can we have an update.
D. van Boven commented
Is there any news regarding the Kerberos rollover?
Matthew Booker commented
This feature is desperately needed.
MCS UK Infra commented
Please provide an update on automating this kerberos renewal process.
am fost odata conectat pe tweet