While playing around in the HypervLAB this weekend, I was prompted with this message after installing the latest AzureAD Sync Service. So in this post, I’ll cover the steps for updating the Kerberos decryption key. For more information on the Kerberos Decryption check out the docs.microsoft article.
Firstly, we will need to log onto the server which runs the AzureAD Sync Service Application and launch Powershell as an Administrator and then navigate to:
cd "C:\Program Files\Microsoft Azure Active Directory Connect"
Once in the folder you want to run:
Now that the module is imported, lets log into the AzureAD Tennant.
New-AzureADSSOAuthenticationContext -CloudCredentials (Get-Credential)
Next we can run the following command However for the authentication will be credentials for the local domain.
$creds = Get-Credential
Once the credentials have been entered we can update the decryption key.
Update-AzureADSSOForest -OnPremCredentials $creds
NOTE: When I run the command initially I was given this error message.
From a quick google search, it advised that there was either a missing or corrupt ‘AZUREADSSOACC’ Computer account. Creating this under the Default computers OU resolved this.
Re ran the command and it completed with out errors.
Once the SSO Key has been updated, Run a full sync and import from the Service Manager.
Check the Seamless Single Sign On Status Page in the Azure portal and you will see its green and happy!