The Kerberos decryption key for the computer account is securely shared with Azure AD and should also be treated as sensitive. We highly recommend a roll over of the Kerberos decryption key for this computer account, at least every 30 days. You will also notice a warning in Azure AD when the Kerberos decryption key has not been updated in the last 30 days.
Roll over Kerberos decryption key
The Kerberos decryption key rollover is performed using Windows PowerShell and the required module will be available on the Azure AD Connect server. The commands should therefore be completed while logged onto the Azure AD Connect server.
We require a Global Administrator account to connect to Azure AD and a Domain Administrator account in the forest root domain, to update the Kerberos decryption key.
Open Windows PowerShell and navigate to the “Microsoft Azure Active Directory Connect” folder:
cd 'C:\Program Files\Microsoft Azure Active Directory Connect\'Import the Seamless SSO PowerShell module:
Import-Module .\AzureADSSO.psd1Now run the following command to authenticate with Azure AD using your Global Administrator credentials:
New-AzureADSSOAuthenticationContextThere will be a pop-up window where you can enter your credentials, and multi-factor authentication is supported, as per the example below:
We can view the current list of Active Directory forests that have Seamless SSO enabled. This is useful when you have multiple Active Directory forests synchronizing to the same Azure AD tenant:
Get-AzureADSSOStatus | ConvertFrom-Json
Run the following command to update the Kerberos decryption key for the target forest. You will be prompted to provide credentials:
Update-AzureADSSOForestProvide the domain administrator credentials for the root domain in the target forest. It has to be entered in the “domain\samaccountname” format otherwise it will not work.
With the appropriate credentials provided, the command should be completed successfully:
The status of Seamless SSO configuration will be updated in Azure AD after a few minutes:
Summary
Updating the Kerberos decryption key for the Azure AD SSO computer account is a fairly simple process. We highly recommend completing these steps at least every 30 days. Ensure the AZUREADSSOACC computer account is protected from accidental deletion and only Domain Admins have access to this account.
Sourses
https://azurecloudai.blog/2020/08/03/roll-over-kerberos-decryption-key-for-seamless-sso-computer-account/
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the-azureadssoacc-computer-account