How can I roll over the Kerberos decryption key of the AZUREADSSOACC computer account

It is important to frequently roll over the Kerberos decryption key of the AZUREADSSOACC computer account (which represents Azure AD) created in your on-premises AD forest.

Important

We highly recommend that you roll over the Kerberos decryption key at least every 30 days.

Follow these steps on the on-premises server where you are running Azure AD Connect:

Step 1. Get list of AD forests where Seamless SSO has been enabled
1.First, download, and install Azure AD PowerShell.
2.Navigate to the %programfiles%\Microsoft Azure Active Directory Connect folder.
3.Import the Seamless SSO PowerShell module using this command:

Import-Module .\AzureADSSO.psd1.

4.Run PowerShell as an Administrator. In PowerShell, call

New-AzureADSSOAuthenticationContext.

This command should give you a popup to enter your tenant’s Global Administrator credentials.

5.Call Get-AzureADSSOStatus. This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.

Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on

1.Call $creds = Get-Credential. When prompted, enter the Domain Administrator credentials for the intended AD forest.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.