26th January 2022
MIcrosoft Azure - Seamless SSO Kerberos Keys

Azure – Seamless single sign-on

We recommend that you roll over Kerberos decryption keys

To fast rollover the Kerberos decryption key(s), you can use this Powershell script: https://github.com/T13nn3s/microsoft/blob/main/SSOSeamlessKeyRollover.ps1.

In this article, we do a quick talk about Seamless single sign-on in the Azure Active Directory. The Azure AD provides SSO to users with passthrough authentication. The user experience is most optimal on Windows 10 devices, it’s not required that these Windows 10 devices are joined to the Azure AD. The warning points to this article from Microsoft.

It is important to frequently roll over the Kerberos decryption key of the AZUREADSSO computer account. This computer account is representing the Azure AD which is created in your on-premises AD forest. Microsoft recommends that the Kerberos decryption key is being enrolled every 30 days.

Unfortunately, it is not yet possible to automate this process. Microsoft is currently working on a solution to automatically refresh Kerberos decryption keys. How can we improve Azure Active Directory? Automate Seamless SSO Kerberos decryption key rollover AZUREADSSOACC

With the following steps you can roll the Kerberos decryption keys:

First, make sure that you have installed the Azure AD PowerShell cmdlet.

  1. On your on-premise AD open Windows PowerShell.
  2. Navigate to the $env:programfiles\Microsoft Azure Active Directory Connect folder.
  3. Import the Seamless SSO PowerShell module using this command: Import-Module .\AzureADSSO.psd1.
  4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext. This command should give you a popup to enter your tenant’s Global Administrator credentials.
  5. Call Get-AzureADSSOStatus | ConvertFrom-Json. This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.

Now you know on wich forests ou need to roll the Kerberos decryption keys. In my environment, I have only one forest.

  1. Now you can call the $creds = Get-Credential and fill in the on-premise administrator account credentials.
  2. Last but not least with this commando Update-AzureADSSOForest -OnPremCredentials $cred you can roll the Kerberos decryption keys.
Change Kerberos SSO decryption keys through PowerShell
Roll Kerberos encryption keys with Windows PowerShell

To check if the Kerberos key is changed successfully, you can check the EventID 4724 (attempt to change the account’s password) and EventID 4742 for the actual password change for the AZUREADSSOACC computer’s account. It can take a few minutes, but then you can see in the Azure AD Portal that the Kerberos keys are rolled.

We recommend that you roll over Kerberos decryption keys 2
Kerberos Decryption key is successfilly changed

Do you have any questions, please let me know! Have a secure day!


I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published.