Azure AD-Connect : Rotate those Kerberos decryption keys

If you have a domain synced with AD-Connect which means you local domain is syncing with Azure AD, then it recommended to rotate the keys every 60 days, is this is the warning you get in Azure:

To complete to rotation login to the AD-Connect server for your domain then start Powershell (admin is not required) once you have do this:

Prepare Powershell

cd 'C:\Program Files\Microsoft Azure Active Directory Connect'
Import-Module .\AzureADSSO.psd1
$creds = Get-Credentials

Rotate those Keys

Update-AzureADSSOForest -OnPremCredentials $creds

Check it completed

[08:02:34.780] [  6] [INFORMATIONAL] UpdateComputerAccount: Locating SSO computer account in bears.local...
[08:02:34.790] [  6] [INFORMATIONAL] GetDesktopSsoComputerAccount: Searching in global catalog(forest) and bears.local for computer account AZUREADSSOACC
[08:02:35.320] [  6] [INFORMATIONAL] TrySearchAccountUnderGlobalCatalog: Object was found in global catalog(forest), hence skipping bears.local search
[08:02:35.325] [  6] [INFORMATIONAL] UpdateComputerAccount: Found SSO computer a ccount at CN=AZUREADSSOACC,OU=SSOAccounts,DC=bears,DC=local. Updating its properties...
[08:02:35.325] [  6] [INFORMATIONAL] UpdateComputerAccount: Granting full control to account admins and enterprise admins for computer account CN=AZUREADSSOACC,OU=SSOAccounts,OU=IS Administration,DC=bears.local,DC=intra...
[08:02:35.860] [  6] [INFORMATIONAL] UpdateComputerAccount: Successfully updated SSO computer account properties.
[08:02:35.875] [  6] [INFORMATIONAL] The Tls12 security protocol has been added to the supported protocols of ServicePointManager. Current value of ServicePoint Manager.SecurityProtocol: 'Ssl3, Tls, Tls12'

The operation completed successfully

Check updated status in the GUI:


Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„