AD Connect -Roll over the Kerberos decryption key

Updated: Nov 25, 2019

Have been working with many customer in past months and i noticed most of them or the managed services companies does not have a clue they have to roll over Pass-through Authentication Kerberos key every 30 days.

The instruction on how do it can be found here with detailed note on DOs & DONTs.

How can I enroll Kerberos decryption key

The simplest & most cost effective way i got this done is by having a scheduled script to run every 29 days to keep the security of the PTA feature alive.

What do you need

  1. Create #HASHED password file for PowerShell as below.

If you want to automate some Powershell scripts to do a job for you, and you don’t want to (and you never should) add the password in the script, then this is a great ting.

You create an encrypted txt file based on the userID and PW you define in the prompt, the file is then created with the password information in the encrypted file. The export location must be the location you want the script to run, as you can not move/copy the file to a different location after export.So now you can use the password file with the scripts you have created

#Start of Script

#Encrypt Password for use in Powershell

#Comment: Will prompt you for username and password, and will encrypt (to hash) the password to a txt file.

#This will only be the password. & you must dump the file to the location where you are going to

 #get it from in the other script

$credential = Get-Credential

$credential.Password | ConvertFrom-SecureString | Set-Content *Type the Path* \Encrypted_Password.txt

#end of the script

2. Microsoft Online Services Sign-In Assistant.

3. 64-bit Azure Active Directory module for Windows PowerShell.

4. Global Admin Account

Schedule the below script on your AD Connect server.

$CloudUser = ''

$CloudEncrypted = Get-Content "*type the path of the script*\Cloud_Encrypted_Password.txt" | ConvertTo-SecureString

$CloudCred = New-Object System.Management.Automation.PsCredential($CloudUser,$CloudEncrypted)

$OnpremUser = 'DOMAIN\service_account'

$OnpremEncrypted = Get-Content "*type the path of the script* \Onprem_Encrypted_Password.txt" | ConvertTo-SecureString

$OnpremCred = New-Object System.Management.Automation.PsCredential($OnpremUser,$OnpremEncrypted)

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1'

New-AzureADSSOAuthenticationContext -CloudCredentials $CloudCred

Update-AzureADSSOForest -OnPremCredentials $OnpremCred

#The source and script credit : Joachim Løe

Hope this helps! Share & Comment if its helpfull...:

946 views0 comments

Recent Posts

See All

EOP is evolving & its getting better day by day.....

Security being a point of concern and ever evolving EOP being talk of the time with every customer - There is always one aspect we ignore WHATS RECOMMENDED EOP SETTINGS LOOK LIKE. Microsoft recently

©2019 by Safeer Khan. Proudly created with