Its’ highly recommended to roll over the kerberos key for Azure AD Connect SSO computer account every 30 days. There is no feature to enable auto roll over of this key.
I’ve used this Blog article to secure the password on the server for the service account:
I’ve configured a Powershell script that runs as a scheduled task on the server where Azure AD Connect is Installed.
# Microsoft Online Services Sign-In Assistant.
# 64-bit Azure Active Directory module for Windows PowerShell.
$CloudUser = '[email protected]'
$CloudEncrypted = Get-Content "C:\Scripts\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString
$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)
$OnpremUser = 'DOMAIN\service_account'
$OnpremEncrypted = Get-Content "C:\Scripts\Onprem_Encrypted_Password.txt" | ConvertTo-SecureString
$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'
New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred
Update-AzureADSSOForest -OnPremCredentials $OnpremCred
Disclaimer: All scripts and references on this blog are offered “as is” with no warranty. These scripts are tested in my environment, it is recommended that it is tested in a test environment before using in production.
This site uses Akismet to reduce spam. Learn how your comment data is processed.