Join Log in
Score:0
avatar Server

Azure AD Kerberos decryption key rollover; new-azureADSSOAuthenticationContext; using token instead of pscredential

ae flag
John Ranger

We do the 30 days kerberos decryption key rollover process automated by using an "encrypted" password stored within a text file to create the neccessary PSCredential object for the Powershell command new-azureADSSOAuthenticationContext.

This works - but I want to improve the general security and want therefore to eliminate the PSCredential object for the Global Administrator of our Tenant on Azure.

I have seen that the new-azureADSSOAuthenticationContext command also can be feed with an access token (via parameter -token). An access token I can retrieve by using a certificate stored within the much more secure machine cert store by using "Get-MsalToken"

So far I have created an Azure app, have assigned its SecurityPrincipal the Global Administrator role (under Enterprise Apps) and have created a self-signed certificate (stored within the machine personal store) and uploaded this cert to the Azure App.

I am getting the token with: $Token = Get-MsalToken -ClientId $ClientId -TenantId $TenantId -ClientCertificate $Certificate -RedirectUri "http://bla.com"

This works and I also can use the token within the new-azureADSSOAuthenticationContext.

But when I then call Update-AzureADSSOForest -OnPremCredentials $OnpremCred, I get the following error:

  • When run under the "new" Powershell 7: Line | 133 | Update-AzureADSSOForest -OnPremCredentials $OnpremCred | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Could not load type 'System.ServiceModel.Web.WebChannelFactory`1' from assembly 'System.ServiceModel.Web, Version=4.0.0.0, Culture=neutral, | PublicKeyToken=31bf3856ad364e35'.

  • When run under the "old" Powershell 5.1: Update-AzureADSSOForest : Uploading computer account information failed. Error message: DesktopSsoNumOfDomains request was made with invalid authenticatedToken. Value:'' At C:\Scripts\DEV-MIHA\KerberosKeyRollover\M365_Kerberos_Key_Rollover.ps1:133 char:1

  • Update-AzureADSSOForest -OnPremCredentials $OnpremCred
  •   + CategoryInfo          : NotSpecified: (:) [Update-AzureADSSOForest], Exception
  + FullyQualifiedErrorId : System.Exception,Microsoft.KerberosAuth.Powershell.PowershellCommands.UpdateAzureADSSOForestCommand

Hint: I have read quite some hours regarding the general issue - and so far have not found any solution for this problem. Except that some claim that this is currently not possible.

But maybe somebody out there has managed already what I want to achieve

Suggestions are welcome. :-)

42
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.