We do the 30 days kerberos decryption key rollover process automated by using an "encrypted" password stored within a text file to create the neccessary PSCredential object for the Powershell command new-azureADSSOAuthenticationContext.
This works - but I want to improve the general security and want therefore to eliminate the PSCredential object for the Global Administrator of our Tenant on Azure.
I have seen that the new-azureADSSOAuthenticationContext command also can be feed with an access token (via parameter -token). An access token I can retrieve by using a certificate stored within the much more secure machine cert store by using "Get-MsalToken"
So far I have created an Azure app, have assigned its SecurityPrincipal the Global Administrator role (under Enterprise Apps) and have created a self-signed certificate (stored within the machine personal store) and uploaded this cert to the Azure App.
I am getting the token with: $Token = Get-MsalToken -ClientId $ClientId -TenantId $TenantId -ClientCertificate $Certificate -RedirectUri "http://bla.com"
This works and I also can use the token within the new-azureADSSOAuthenticationContext.
But when I then call Update-AzureADSSOForest -OnPremCredentials $OnpremCred, I get the following error:
When run under the "new" Powershell 7: Line | 133 | Update-AzureADSSOForest -OnPremCredentials $OnpremCred | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Could not load type 'System.ServiceModel.Web.WebChannelFactory`1' from assembly 'System.ServiceModel.Web, Version=4.0.0.0, Culture=neutral, | PublicKeyToken=31bf3856ad364e35'.
When run under the "old" Powershell 5.1: Update-AzureADSSOForest : Uploading computer account information failed. Error message: DesktopSsoNumOfDomains request was made with invalid authenticatedToken. Value:'' At C:\Scripts\DEV-MIHA\KerberosKeyRollover\M365_Kerberos_Key_Rollover.ps1:133 char:1
- Update-AzureADSSOForest -OnPremCredentials $OnpremCred
-
+ CategoryInfo : NotSpecified: (:) [Update-AzureADSSOForest], Exception + FullyQualifiedErrorId : System.Exception,Microsoft.KerberosAuth.Powershell.PowershellCommands.UpdateAzureADSSOForestCommand
Hint: I have read quite some hours regarding the general issue - and so far have not found any solution for this problem. Except that some claim that this is currently not possible.
But maybe somebody out there has managed already what I want to achieve
Suggestions are welcome. :-)
0 Answers