This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
In our environment we are hyrbid joined and we currently utilize Seamless-SSO with our AADCONNECT server. We have a script that we run to rollover the kerberos key every month, and am looking for modern and/or updated ways to see if this is still necessary within the environment.
After researching for days on end, I've been able to find that we can use a Primary Refresh Token for SSO (https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token?tabs=windows-prt-issued%2Cbrowser-behavior-windows%2Cwindows-prt-used%2Cwindows-prt-renewal%2Cwindows-prt-protection%2Cwindows-apptokens%2Cwindows-browsercookies%2Cwindows-mfa) instead of Seamless-SSO for Microsoft Entra Connect.
This information is quite confusing as I do not understand if we can use this in replacement of kerberos rollover or would it be better to remain on Seamsless-SSO?
Also, would there be any possible issues if we were to switch over to PRT from Seamless-SSO in terms of downtime, etc?
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hey Gabe! It sounds like you're pondering whether to continue using Seamless SSO for your hybrid-joined environment or to switch to the Primary Refresh Token (PRT) approach. Let's break this down:
You currently have Seamless SSO enabled with your Azure AD Connect server. This allows users to automatically sign in when on a corporate device and connected to your corporate network. This solution typically depends heavily on Kerberos authentication and, as you mentioned, involves rolling over the Kerberos key every month.
PRT is specifically designed for environments that leverage Microsoft Entra (formerly Azure AD). Here's how it plays into your situation:
Switching to PRT would mean that you'll not need to rely on Kerberos key rollover for authentication since PRT functions independently of it.
Hope this helps clear up your confusion! If you have any further questions, feel free to ask.
Towards the end of the Understanding Primary Refresh Token (PRT) document, it notes the following:
Note
The Browser SSO flow described in the previous steps doesn't apply for sessions in private modes such as InPrivate in Microsoft Edge, Incognito in Google Chrome (when using the Microsoft Accounts extension) or in private mode in Mozilla Firefox v91+
Does this mean that when we utilize Incognito or InPrivate mode it will not let us sign into our accounts with the PRT tokens?
Answer accepted by question author
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
PRT is the modern SSO mechanism and recommended for hybrid environments. Seamless SSO is only needed for initial silent auth. Consider removing it and moving to PRT. That way you will not be required to rollover the Kerberos on a monthly basis.