AAD-Connect PTA with SSO & Kerberos Decryption Key Roll Over

When setting up PTA with SSO the Kerberos decryption keys must be rolled over every 30 days. Unfortunately Microsoft have not yet devised a streamline process to automate, but hoping to deliver within the next 6 months.  Till this is made available the following solution has been developed to automatically perform this function.

The problem is best illustrated in the following test environment which has three internal domains configured for seamless single sign-on.

AD-Connect Screen

As illustrated below the decryption keys should be rolled over every 30 days to ensure the platform remains secure and operational.… [Keep reading] “AAD-Connect PTA with SSO & Kerberos Decryption Key Roll Over”