Azure AD Seamless SSO Kerberos Key Using Azure Automation and Hybrid Runbook Worker (Part 2 of 2)

In Part 1 of this series, we looked at how to rotate this sensitive key manually.  In this blog, we will go through how to automate the process.

There are several ways to automate this, the most obvious being a PowerShell Script run with Task Scheduler on your AD Connect Server but that introduces challenges to store the passwords for both accounts needed to execute the script.  There are methods to save passwords using secure strings in password files, but they come with some limitations.

I see this as a perfect opportunity to use Azure Automation as it has a nifty feature called Credential Assets that will allow you to securely store credentials for just such an occasion.  Azure Automation natively runs in Azure against publicly exposed endpoints such as Azure PowerShell, Exchange Online PowerShell etc., however by utilizing the Hybrid Runbook Worker feature, we will be able to execute scripts securely on servers within your datacenter as required here.

So, let’s review…

Automation Accounts = Cool

Automation Accounts + Credential Assets = Really Cool

Automation Accounts + Credential Assets + Hybrid Runbook Workers = Wickedly Cool!

Let’s get started!

We will be using the AD Connect server as the Hybrid Runbook Worker since the script needs to be executed there anyway.  If you are taking advantage of AD Connect Staging Mode, you can configure both the primary and staging servers as Hybrid Runbook Workers for redundancy.  The script can be executed from either one.

You will need an Azure subscription associated with the same Azure AD Tenant as your Office 365 subscription. If you don’t have one, just go to https://portal.azure.com/ and create a free trial.  The monthly cost to run the processes in this blog would be negligible so don’t fret about that!

Step 1 – In your Azure Subscription, navigate to Resource Groups and create a Resource Group to house the Azure components.  Give it an appropriate name and choose the region based on your location then click Create.

Step 2 – In your Azure subscription, navigate to Automation Accounts and create an Automation Account (or you can use an existing one).  Give it an appropriate name, choose the Resource Group created in Step 1 and choose the region based on your location then click Create.

Step 3 – In your Azure subscription, navigate to Log Analytic Workspaces and create a Log Analytics Workspace (or you can use an existing one).  Choose the Resource Group created in Step 1 and choose the same region as you did for your Automation Account then click OK.

Once the Log Analytics Workspace is created, navigate to General – Workspace summary and click the + Add button to install the Azure Automation solution which will allow you to create Hybrid Runbook Workers.  Search for the “Automation Hybrid Worker” solution then click Create.

Step 4- Create your accounts.

  • Create the on-premises AD service account and set the password to not expire. No special group memberships are needed aside from Domain Users.
  • Create the cloud service account- you can optionally use on-premises service account, just make sure that it’s synched and has a verified UPN suffix. This account must be a Global Admin in Azure AD.

Note: Multi-Factor Authentication must be disabled for the cloud service account or at least bypassed if connecting from your datacenter IP ranges

Step 5 – Locate the computer account AZUREADSSOACC, which by default is in the Computers container.  Right click it, choose properties and go to the security tab.  Add the on-premises service account created in Step 4 and grant these two permissions: Write & Reset Password then click OK.

Step 6 – You must reset the AZUREADSSOACC Kerberos Key in each AD Domain within the Forest where AD Connect Seamless SSO is enabled.  To determine which domains are configured in your environment, do the following on either AD Connect Server from PowerShell:

Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1”

New-AzureADSSOAuthenticationContext #Sign in with a Global Admin account

Get-AzureADSSOStatus | ConvertFrom-Json

If you have multiple domains, you would need to reset the AZUREADSSOACC password in each domain which can be done by modifying the script provided below and assigning the appropriate permissions on each object.

Step 7 – In order to enable the Hybrid Runbook Worker role, you must first Install the Microsoft Monitoring Agent (MMA) to your AD Connect Server(s).  Go to your Log Analytics Workspace created in Step 3 and navigate to Settings – Advanced Settings – Connected Sources – Windows Servers.  From here you can download and install the Agent.  You must also copy the Workspace ID and the Primary Key

 

Run the MMA agent install wizard on your AD Connect Server(s) and choose “Connect to Azure Log Analytics (OMS)”, enter the Workspace ID and Key and finish the wizard.

Step 8 – Navigate to the Automation Account from Step 2 and select Keys.  Copy the Primary Key and the URL

Register the AD Connect Server(s) as a Hybrid Runbook Worker by opening an elevated PowerShell window and navigating to the following directory:

“C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\<version>\HybridRegistration”

Run the following commands:

Import-Module .\HybridRegistration.psd1

Add-HybridRunbookWorker –GroupName <String> -EndPoint <Url> -Token <String>

  • GroupName: This is the name of the Hybrid Worker Group. Either the node will be added to an existing group or a new group will be created if it doesn’t exist.
  • Endpoint: This is the URL
  • Token: This is the Primary Key

Example: Add-HybridRunbookWorker –GroupName ADConnectWorkerGroup -EndPoint https://eus2-agentservice-prod-1.azure-automation.net/accounts/f48fa7ee-xxxxx-xxxxxx-xxxxx2-010f5894fc07 -Token 6b0Exxxxxxxxxxxxxxxxxx2XpwOhelZI7wbWA5f5Kxuyr9RXs9LyipgIR5CBw==

Once this is completed you should now see the Hybrid Worker Group and The Workers within that group by navigating to the Automation Account and navigating to Process Automation – Hybrid worker groups

Step 9 – Navigate to the Automation Account created in Step 2 and select Credentials

  • Create on-premises Credential
    • This is the on-premises account from in Step 4. Use the SamAccountName format e.g. DOMAIN\Username and the non-expiring password that you used to create the account.  In the example below this Credential is called AADSSOOnPremCredential.
  • Create Cloud Credential
    • This is the global admin account from Step 4. Use the fully qualified UPN format e.g. Username@domain.com.  In the example below this credential is called AADSSOCloudCredential.

Step 10 – Navigate to the Automation Account created in Step 2 and select Runbooks (there will be some tutorial Runbooks which you can leave there)

Create a new Runbook of type PowerShell, in this example we are calling it “ResetAADSeamlessSSOKerberosKey”.  Once you create the Runbook, you will be brought to the Runbook edit screen.  Copy the below script, substitute the Credential names as necessary:

# This script will trigger a reset of the Kerberos key for Azure AD SSO – this should be run every 30 days

$OnPremCred = Get-AutomationPSCredential -Name “AADSSOOnPremCredential”

$CloudCred = Get-AutomationPSCredential -Name “AADSSOCloudCredential”

Import-Module “C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1”

New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred

Update-AzureADSSOForest -OnPremCredentials $OnPremCred

Once your script is setup, click Save and Publish.

Step 11 – Testing.  In order to test, navigate to the Automation Account – Runbooks – The Runbook you created and select “Start”.  Note: this should be tested first in a lab environment or during a maintenance window

Under Run Settings choose “Hybrid Worker” and choose your Hybrid Worker Group.  Then click OK.

Wait until the Status shows “Completed” then click on the Output tab and you should see “The operation completed successfully”.

Finally, to confirm that it worked, open PowerShell from a Domain Controller and run:

Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet

The timestamp should coincide with the Runbook execution.

At this point verify that Seamless SSO still works.

Step 12 – Go to the Automation Account and navigate to Shared Resources – Schedules and create a Schedule to run once a month on the appropriate day and click Create.  Then navigate to the Automation Account, select Runbooks, choose your Runbook and select Schedules.  Link the Schedule you just created.  Under “Parameters and run settings” choose your Hybrid Worker Group then click OK.

Summary

We have successfully created an automated process that runs every 30 days to reset the Kerberos Key for Azure AD Seamless SSO account, AZUREADSSOACC, as per Microsoft’s recommendation.  We accomplished this by using Azure Automation and Hybrid Runbook Workers.  I hope you enjoyed this blog and please reach out to us if you have any questions!

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Cloud and Modern Data Center]

Azure Resource Groups – Preventing Accidental Deletion with Resource Locks

By [Richard Young]

Did you know that when you delete an Azure Resource Group, it deletes all the resources in that group?

[Cloud and Modern Data Center]

How to Move to the Cloud

Previously we explored the question of “why the cloud”, discussing the high level benefits as being Agility, Productivity and Cost Reduction and the things that influence what can be moved to the cloud. This time we will look at the key business considerations in “how” to move to the cloud.