It’s is very important to regularly (every 30 days) roll over the Kerberos key for the AZUREADSSO computer account. This account represents your Azure AD in your on-prem AD.
Permissions needed to perform this operation – on-prem Domain Administrator(DA) and Azure AD Global Administrator(GA)
Assuming your environment consists of a single AD forest:
- Optional – Remove your DA account from the on-prem “Protected Users” AD group(hint – if your DA is not a member of that group – it should be!). In case your environment utilizes PKI and your DA account have this option enabled – “Smart card required for interactive logon” under the Account tab, uncheck it and change the account password.
- Download and install Azure AD PowerShell (soon to be replaced by Microsoft Graph PowerShell) – Open PowerShell as Administrator and call Install-Module AzureAD
- Navigate to
"C:\Program Files\Microsoft Azure Active Directory Connect"
- Import the Seamless SSO PowerShell module –
Import-Module .\AzureADSSO.psd1
- Run PowerShell as Administrator and call
New-AzureADSSOAuthenticationContext
. This command will produce a popup to enter your Azure AD GA credentials. - Call
$creds = Get-Credential
. When prompted enter your DA credentials. Use this format domain\da_account - Call
Update-AzureADSSOForest -OnPremCredentials $creds
. This command updates the Kerberos decryption key for the AZUREADSSO computer account. Open Azure AD and check if the key has been successfully updated – Seamless single sign-on – Microsoft Azure - Optional – Reverse all changes that were made in step #1. Once the “Smart card required for interactive logon” option is enabled again the DA account password will be reset to a random value.