After enforcing AES256 for the Azure AD SSO account, we need to renew the Kerberos Decryption Key in Azure AD to ensure that SSO continues to work.
The rollover of the SSO decryption key is done with a few steps. Since there are already extensive and very good instructions for this, I have refrained from creating another tutorial 🙂 This tutorial is in my opinion one of the best and most understandable: Roll over Kerberos decryption key for Seamless SSO computer account - Azure Cloud & AI Blog
Side Note: Securing the Azure AD SSO Account
When you set up SSO, Azure AD Connect automatically creates a computer account ("AZUREADSSOACC"). This account represents the Azure AD in Active Directory.
This is how a login via SSO works: The user's browser requests a Kerberos ticket for the AZUREADSSOACC account. Upon a successful login, a Kerberos ticket is issued by a domain controller for that computer account and sent to the browser. The browser then logs in to Azure AD using the Kerberos ticket.
Since all login operations are performed via the AZUREADSSOACC account, it is classified as extremely sensitive. If this account is successfully attacked, the attacker can gain access to the resources of users who log on via SSO. For this reason, Microsoft recommends rollover the Kerberos Decryption Key every 30 days!
People reacted to this story.
Show comments Hide commentsThanks Tobi for the nice article! We just recently enabled SSO for Azure AD and I used this article as a guide for changing the encryption from RC4-HMAC to AES256-HMAC-SHA1.
thank you thank you.