Recommended to roll over Kerberos decryption key Seamless Sign-on

%3CLINGO-SUB%20id%3D%22lingo-sub-968957%22%20slang%3D%22en-US%22%3ERe%3A%20Recommended%20to%20roll%20over%20Kerberos%20decryption%20key%20Seamless%20Sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968957%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6398%22%20target%3D%22_blank%22%3E%40Jeff%20Harlow%3C%2FA%3E%26nbsp%3BI'm%20by%20no%20means%20an%20expert%2C%20but%20I%20believe%20rolling%20over%20the%20key%20is%20considered%20a%20%22best%20practice%22%20from%20a%20security%20perspective.%26nbsp%3B%20Not%20rolling%20over%20the%20key%20shouldn't%20cause%20SSO%20to%20stop%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20said...you%20should%20do%20it.%26nbsp%3B%20It's%20a%20simple%20procedure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-964243%22%20slang%3D%22en-US%22%3ERecommended%20to%20roll%20over%20Kerberos%20decryption%20key%20Seamless%20Sign-on%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-964243%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20am%20looking%20at%20my%20Azure%20AD%20Connect%2C%20I%20see%20a%20notice%20that%20it%20is%20recommended%20to%20roll%20over%20the%20Kerberos%20decryption%20key%20on%20my%20on-premise%20Ad%20for%20Seamless%20sign%20on.%26nbsp%3B%20The%20Microsoft%20Docs%20just%20mentions%20it%20is%20recommended%20every%2030%20days%20but%20does%20not%20explain%20in%20detail%20what%20this%20means%20or%20if%20it%20causes%20problems.%26nbsp%3B%20Any%20insight%3F%20Thanks.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-964243%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Regular Contributor

When I am looking at my Azure AD Connect, I see a notice that it is recommended to roll over the Kerberos decryption key on my on-premise Ad for Seamless sign on.  The Microsoft Docs just mentions it is recommended every 30 days but does not explain in detail what this means or if it causes problems.  Any insight? Thanks. 

1 Reply
Highlighted

@Jeff Harlow I'm by no means an expert, but I believe rolling over the key is considered a "best practice" from a security perspective.  Not rolling over the key shouldn't cause SSO to stop working.

 

That said...you should do it.  It's a simple procedure.