Rotating Kerberos key for Seamless SSO in multi-domain forest with Azure AD Connect

Robbert-Jan van Nugteren 10 Reputation points

What is the correct procedure for rotating the Kerberos key used in Seamless SSO when configured in a forest with multiple domains and synced with multiple tenants through Azure AD Connect? The documentation recommends running the Update-AzureADSSOForest command once per forest, but this only updates the key for the tenant that signed in using New-AzureADSSOAuthenticationContext. After the rotation, the Seamless SSO breaks for the other synced tenants. What is the correct way to solve this?

This is my setup:

  • ssc.local = AADconnect with tenant A & B

dsv.ssc.local = AADconnect with tenant C

sko.ssc.local = AADconnect with tenant D

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 142.8K Reputation points MVP