{"id":1756,"date":"2019-06-06T01:00:00","date_gmt":"2019-06-06T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/rotating-the-azure-ad-seamless-sso-kerberos-key-manually-part-1-of-2\/"},"modified":"2024-10-10T08:20:52","modified_gmt":"2024-10-10T08:20:52","slug":"rotating-the-azure-ad-seamless-sso-kerberos-key-manually-part-1-of-2","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/cloud-and-modern-data-center\/rotating-the-azure-ad-seamless-sso-kerberos-key-manually-part-1-of-2\/","title":{"rendered":"Rotating the Azure AD Seamless SSO Kerberos Key Manually (Part 1 of 2)"},"content":{"rendered":"<p style=\"text-align: justify;\">Microsoft recommends rotating the Encryption Key for this sensitive account every 30 days.\u00a0 This blog, which is Part 1 of a series, will review how to do it manually and in Part 2 we will demonstrate how to automate it and run it on a schedule.<\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">A little about Azure AD Seamless Single Sign On<\/h3>\n<p style=\"text-align: justify;\">Azure AD Seamless SSO allows you to enable Single Sign on into Azure AD \/ Office 365.\u00a0 This is a great feature that your end users will really enjoy and the best part about this is that it doesn\u2019t even require an Azure AD Premium license!<\/p>\n<p style=\"text-align: justify;\">This feature allows end users to experience Single Sign On (SSO) in a similar fashion to ADFS but without all the infrastructure required to maintain ADFS!<\/p>\n<p style=\"text-align: justify;\">Put simply, when a user attempts to sign into a Microsoft login page e.g.\u00a0<a href=\"https:\/\/portal.office.com\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">https:\/\/portal.office.com<\/a>\u00a0their computer will be able to leverage Kerberos authentication to pass credentials directly via the web browser and they will not have to enter their password.<\/p>\n<p style=\"text-align: justify;\">There are a few requirements you will need in order for this to work and they are:<\/p>\n<ul>\n<li>You must have the Single Sign On feature enabled in AD Connect<\/li>\n<li>You must be using a supported browser, see\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/how-to-connect-sso\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">HERE<\/a>\u00a0for more details<\/li>\n<li>The AD UserPrincipalName (UPN) of the logged in user must match the Office 365 UPN \/ Sign on<\/li>\n<li>The user must be using a domain joined computer and be able to communicate with a Domain Controller<\/li>\n<li>You must add the following URL to the Local Intranet Zone of Internet Explorer Security settings\n<ul>\n<li>https:\/\/autologon.microsoftazuread-sso.com<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">How it works<\/h3>\n<p style=\"text-align: justify;\">This functionality is achieved by using a special computer account in AD called AZUREADSSOACC, which represents Azure AD.\u00a0 The password of this account is securely shared with Azure AD.\u00a0 When a user is at the Azure AD sign-in page and has entered their username (or a domain hint is being used in the URL), a Java script runs in the background to require the user to access AZUREADSSOACC.\u00a0 The domain controller provides a Kerberos ticket back to the user which is then passed on to Azure AD via the secure browser session.\u00a0 Azure AD decrypts the Kerberos ticket, which includes the identity of the user signed into the domain-joined device, by using the previously shared key.<\/p>\n<p style=\"text-align: justify;\">After evaluation, Azure AD either returns a token back to the application or asks the user to perform additional proofs, such as Multi-Factor Authentication<\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">So far so good?<\/h3>\n<p style=\"text-align: justify;\">Due to the sensitive nature of this password, Microsoft highly recommends rotating the AZUREADSSOACC account password every 30 days.\u00a0 It\u2019s been rumored that there is supposed to be functionality built into Azure AD Connect that will do it automatically however that has yet to be announced.<\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">How to reset the key manually<\/h3>\n<p style=\"text-align: justify;\">You must reset the AZUREADSSOACC Kerberos Key in each AD Domain within the Forest where AD Connect Seamless SSO is enabled.\u00a0 To determine which domains are configured in your environment, do the following on your AD Connect Server from PowerShell:<\/p>\n<p style=\"text-align: justify;\">Import-Module \u201cC:Program FilesMicrosoft Azure Active Directory ConnectAzureADSSO.psd1\u201d<\/p>\n<p style=\"text-align: justify;\">New-AzureADSSOAuthenticationContext #Sign in with a Global Admin account<\/p>\n<p style=\"text-align: justify;\">Get-AzureADSSOStatus | ConvertFrom-Json<\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" style=\"width: 537px; height: 189px;\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/20\/2021\/02\/neil_hoffman_blog1_img_1.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/3b835046a185431c8e232766099864b4\" \/><\/p>\n<p style=\"text-align: justify;\">Note the Domains field.\u00a0 If you have multiple domains, you will need to reset the AZUREADSSOACC password by issuing the following command in each AD domain:<\/p>\n<p style=\"text-align: justify;\">Update-AzureADSSOForest<\/p>\n<p style=\"text-align: justify;\">You will be prompted for credentials- use a Domain Admin for the AD domain you are running it.\u00a0 Use the SamAccountName format e.g. DOMAINUsername.<\/p>\n<p style=\"text-align: justify;\">Do this in each AD domain as required.\u00a0 If you will run this for several domains from the same PowerShell session, you can capture the credentials to a variable:<\/p>\n<p style=\"text-align: justify;\">$Cred = Get-Credential<\/p>\n<p style=\"text-align: justify;\">Update-AzureADSSOForest -OnPremCredentials $Cred<\/p>\n<p style=\"text-align: justify;\"><em>Note: this is the quick and dirty method.\u00a0 In Part 2 when we automate this, we will not be using a Domain Admin account, we will use a least privileged model account<\/em><\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">Testing<\/h3>\n<p style=\"text-align: justify;\">To confirm that it worked, open PowerShell from a Domain Controller in each domain where you ran the command and run:<\/p>\n<p style=\"text-align: justify;\">Get-ADComputer AZUREADSSOACC -Properties * | FL Name,PasswordLastSet<\/p>\n<p style=\"text-align: justify;\">The PasswordLastSet time stamp should coincide with when you ran the command<\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" style=\"width: 728px; height: 115px;\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/20\/2021\/02\/neil_hoffman_blog1_img_2.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/ccec303a98624015a49f04241de68e65\" \/><\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">At this point verify that Seamless SSO still works.<\/h3>\n<p style=\"text-align: justify;\">The steps above will get the job done but this would need to be done manually every 30 days and let\u2019s face it, manually doing tasks on a schedule is, well, lame!\u00a0 I hope you enjoyed this blog and please reach out to us if you have any questions.\u00a0 Stay tuned for Part 2 of this blog in which we will show how to automate this using Azure Automation with Hybrid Runbook Workers!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft recommends rotating the Encryption Key for this sensitive account every 30 days.\u00a0 This blog, which is Part 1 of a series, will review how to do it manually and in Part 2 we will demonstrate how to automate it and run it on a schedule. A little about Azure AD Seamless Single Sign On&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/gb\/insights\/geek-speak\/cloud-and-modern-data-center\/rotating-the-azure-ad-seamless-sso-kerberos-key-manually-part-1-of-2\/\">Continue reading <span class=\"screen-reader-text\">Rotating the Azure AD Seamless SSO Kerberos Key Manually (Part 1 of 2)<\/span><\/a><\/p>\n","protected":false},"author":91,"featured_media":1757,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[],"class_list":["post-1756","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-and-modern-data-center","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/1756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/users\/91"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/comments?post=1756"}],"version-history":[{"count":1,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/1756\/revisions"}],"predecessor-version":[{"id":18672,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/posts\/1756\/revisions\/18672"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media\/1757"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/media?parent=1756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/categories?post=1756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/gb\/wp-json\/wp\/v2\/tags?post=1756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}