#Kerberos rollover key

5 messages · Page 1 of 1 (latest)

analog furnace
#

I been trying several versions but this is the closest I got so far.
The attached ps1 script works almost...

2025-03-19 07:01:47 Script started.
2025-03-19 07:01:47 Modules imported successfully.
2025-03-19 07:01:47 Successfully retrieved Azure AD App credentials.
2025-03-19 07:01:47 Successfully retrieved on-premises credentials (MyDomain\SyncUser).
2025-03-19 07:01:48 Successfully retrieved OAuth access token.
2025-03-19 07:01:48 Authenticated to Microsoft Graph successfully via Service Principal.
2025-03-19 07:01:48 First user in tenant: Contoso Atlanta (obscured original name here)
2025-03-19 07:01:48 Converted on-premises credentials to PSCredential.
2025-03-19 07:01:48 Failed to initialize AzureADSSO Authentication Context: The authority (including the tenant ID) must be in a well-formed URI format.
Parameter name: authority

If there are better ways to do this automated... I am listening

📎 Update-AzureADSSOForest.ps1
loud goblet
#

Have you tried passing just the tenant ID to New-AzureADSSOAuthenticationContext -TenantID?

#

Change:

New-AzureADSSOAuthenticationContext -CloudCredentials $PSOnPremCred -TenantId $AuthorityUri

to

New-AzureADSSOAuthenticationContext -CloudCredentials $PSOnPremCred -TenantId $TenantId
analog furnace
#

Yea, tested that too but it failed. I came to the conclusion to workaround microsoft.graph.authentication entirely instead. Not sure if its future safe but it works. I´ll supply the working version I have now in this post.

📎 Update-AzureADSSOForest.ps1
#

To get this to work properly one need to store the credentials in Credential manager first under the user you are going to run the script in scheduled task. That part is important.

`# Install module (if not already installed)

Install-Module CredentialManager -Force

Import it if its already installed.

Import-Module CredentialManager -Force

Azure AD Cloud credentials

$AzureCred = Get-Credential -Message "Enter Azure AD credentials (MyAzureGlobalAdminUser@something.onmicrosoft.com)"
New-StoredCredential -Target "AzureADSSO-Cloud" -Credentials $AzureCred
-Persist LocalMachine

On-Prem credentials

$OnPremCred = Get-Credential -Message "Enter on-premises AD credentials (MyDomain\SyncUser)"
New-StoredCredential -Target "AzureADSSO-OnPrem" -Credentials $OnPremCred
-Persist LocalMachine`