This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 16%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
What is the correct procedure for rotating the Kerberos key used in Seamless SSO when configured in a forest with multiple domains and synced with multiple tenants through Azure AD Connect? The documentation recommends running the Update-AzureADSSOForest command once per forest, but this only updates the key for the tenant that signed in using New-AzureADSSOAuthenticationContext. After the rotation, the Seamless SSO breaks for the other synced tenants. What is the correct way to solve this?
This is my setup:
dsv.ssc.local = AADconnect with tenant C
sko.ssc.local = AADconnect with tenant D
If I understand your architecture correctly, its not supported to have SSO with multiple tenants and one AD forest syncing to them
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies
Hi Andy,
That's correct, we have multiple tenants connected to one forest with multiple domains. So with this setup we could only provide SSO with deviced joined to Azure AD.
Hi Andy,
That's correct, we have multiple tenants connected to one forest with multiple domains :).
Is there another solution to provide SSO for on-prem joined devices with this setup? Or is the only way to go to AAD joined devices?
Does this also apply to the Kerberos Cloud Trust configuration/setup?