{"id":1752,"date":"2019-06-07T01:00:00","date_gmt":"2019-06-07T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/azure-ad-seamless-sso-kerberos-key-using-azure-automation-and-hybrid-runbook-worker-part-2-of-2\/"},"modified":"2024-09-13T03:54:09","modified_gmt":"2024-09-13T03:54:09","slug":"azure-ad-seamless-sso-kerberos-key-using-azure-automation-and-hybrid-runbook-worker-part-2-of-2","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/cloud-and-modern-data-center\/azure-ad-seamless-sso-kerberos-key-using-azure-automation-and-hybrid-runbook-worker-part-2-of-2\/","title":{"rendered":"Azure AD Seamless SSO Kerberos Key Using Azure Automation and Hybrid Runbook Worker (Part 2 of 2)"},"content":{"rendered":"

In\u00a0Part 1<\/a>\u00a0of this series, we looked at how to rotate this sensitive key manually.\u00a0 In this blog, we will go through how to automate the process.<\/p>\n

There are several ways to automate this, the most obvious being a PowerShell Script run with Task Scheduler on your AD Connect Server but that introduces challenges to store the passwords for both accounts needed to execute the script.\u00a0 There are methods to save passwords using secure strings in password files, but they come with some limitations.<\/p>\n

I see this as a perfect opportunity to use\u00a0Azure Automation<\/a>\u00a0as it has a nifty feature called Credential Assets that will allow you to securely store credentials for just such an occasion.\u00a0 Azure Automation natively runs in Azure against publicly exposed endpoints such as Azure PowerShell, Exchange Online PowerShell etc., however by utilizing the Hybrid Runbook Worker feature, we will be able to execute scripts securely on servers within your datacenter as required here.<\/p>\n

So, let\u2019s review\u2026<\/p>\n

Automation Accounts = Cool<\/p>\n

Automation Accounts + Credential Assets = Really Cool<\/p>\n

Automation Accounts + Credential Assets + Hybrid Runbook Workers = Wickedly Cool!<\/p>\n

Let\u2019s get started!<\/h3>\n

We will be using the AD Connect server as the Hybrid Runbook Worker since the script needs to be executed there anyway.\u00a0 If you are taking advantage of AD Connect Staging Mode, you can configure both the primary and staging servers as Hybrid Runbook Workers for redundancy.\u00a0 The script can be executed from either one.<\/p>\n

You will need an Azure subscription associated with the same Azure AD Tenant as your Office 365 subscription. If you don\u2019t have one, just go to\u00a0https:\/\/portal.azure.com\/<\/a>\u00a0and create a free trial.\u00a0 The monthly cost to run the processes in this blog would be negligible so don\u2019t fret about that!<\/p>\n

Step 1 \u2013\u00a0<\/strong>In your Azure Subscription, navigate to\u00a0Resource Groups<\/a>\u00a0and create a Resource Group to house the Azure components.\u00a0 Give it an appropriate name and choose the region based on your location then click Create.<\/p>\n

Step 2 \u2013\u00a0<\/strong>In your Azure subscription, navigate to\u00a0Automation Accounts<\/a>\u00a0and create an Automation Account (or you can use an existing one).\u00a0 Give it an appropriate name, choose the Resource Group created in Step 1 and choose the region based on your location then click Create.<\/p>\n

Step 3 \u2013\u00a0<\/strong>In your Azure subscription, navigate to\u00a0Log Analytic Workspaces<\/a>\u00a0and create a Log Analytics Workspace (or you can use an existing one).\u00a0 Choose the Resource Group created in Step 1 and choose the same region as you did for your Automation Account then click OK.<\/p>\n

Once the Log Analytics Workspace is created, navigate to General \u2013 Workspace summary and click the + Add button to install the Azure Automation solution which will allow you to create Hybrid Runbook Workers.\u00a0 Search for the \u201cAutomation Hybrid Worker\u201d solution then click Create.<\/p>\n

Step 4-\u00a0<\/strong>Create your accounts.<\/p>\n