Roll over Kerberos decryption key for Seamless SSO computer account

Background

Seamless Single Sign-On (Seamless SSO) can be configured when using Password Hash Sync (PHS) or Pass-Through Authentication (PTA), as authentication methods in Azure Active Directory (Azure AD). Seamless SSO allows users on domain-joined devices to automatically sign in to Azure AD.

The primary refresh token is used for SSO on Azure AD joined or Hybrid Azure AD joined devices

We configure Seamless SSO using Azure AD Connect which creates a computer account (AZUREADSSOACC) in each Active Directory forest where Seamless SSO is configured. The computer account is used for Kerberos tickets when signing on to Azure AD and thus should be treated as sensitive. Move the computer account to an OU where only Domain Admins will have access to this object and protect the object from accidental deletion.

The Kerberos decryption key for the computer account is securely shared with Azure AD and should also be treated as sensitive. We highly recommend a roll over of the Kerberos decryption key for this computer account, at least every 30 days. You will also notice a warning in Azure AD when the Kerberos decryption key has not been updated in the last 30 days.




Roll over Kerberos decryption key

The Kerberos decryption key rollover is performed using Windows PowerShell and the required module will be available on the Azure AD Connect server. The commands should therefore be completed while logged onto the Azure AD Connect server.

We require a Global Administrator account to connect to Azure AD and a Domain Administrator account in the forest root domain, to update the Kerberos decryption key.

Open Windows PowerShell and navigate to the “Microsoft Azure Active Directory Connect” folder:

cd 'C:\Program Files\Microsoft Azure Active Directory Connect\'


Import the Seamless SSO PowerShell module:

Import-Module .\AzureADSSO.psd1


Now run the following command to authenticate with Azure AD using your Global Administrator credentials:

New-AzureADSSOAuthenticationContext


There will be a pop-up window where you can enter your credentials, and multi-factor authentication is supported, as per the example below:



We can view the current list of Active Directory forests that have Seamless SSO enabled. This is useful when you have multiple Active Directory forests synchronizing to the same Azure AD tenant:

Get-AzureADSSOStatus | ConvertFrom-Json


Run the following command to update the Kerberos decryption key for the target forest. You will be prompted to provide credentials:

Update-AzureADSSOForest


Provide the domain administrator credentials for the root domain in the target forest. It has to be entered in the “domain\samaccountname” format otherwise it will not work.



With the appropriate credentials provided, the command should be completed successfully:



The status of Seamless SSO configuration will be updated in Azure AD after a few minutes:



Summary

Updating the Kerberos decryption key for the Azure AD SSO computer account is a fairly simple process. We highly recommend completing these steps at least every 30 days. Ensure the AZUREADSSOACC computer account is protected from accidental deletion and only Domain Admins have access to this account.


References

What is Azure Active Directory Seamless Single Sign-On?

Azure Active Directory Seamless Single Sign-On: Technical deep dive

Azure Active Directory Seamless Single Sign-On: Frequently asked questions

Troubleshoot Azure Active Directory Seamless Single Sign-On


Authors