question

SarahLevine-4503 avatar image
0 Votes"
SarahLevine-4503 asked alejlw answered

Error when trying to roll over the Kerberos decryption key for Azure

The error is: [11:31:46.706] [ 7] [WARNING] Failed to remove inherited permissions on Sso computer account CN=AZUREADSSOACC,CN=Computers,DC=ehad,DC=loc. Error : A constraint violation occurred.

I did the following steps to try rolling over the Kerberos key:

  • Updated Powershell to 5.1

  • cd “C:\Program Files\Microsoft Azure Active Directory Connect”

  • Import-Module .\AzureADSSO.psd1

  • New-AzureADSSOAuthenticationContext *** (I am Enterprise, Schema admin, etc.)

  • Get-AzureADSSOStatus | fl

  • $O365Cred = Get-Credential

  • Update-AzureADSSOForest -OnPremCredentials $O365Cred

I got this error:
PS C:\Program Files\Microsoft Azure Active Directory Connect> Update-AzureADSSOForest -OnPremCredentials $O365Cred
[12:25:37.875] [ 7] [INFORMATIONAL] UpdateComputerAccount: Locating SSO computer account in ehad.loc...
[12:25:37.876] [ 7] [INFORMATIONAL] GetDesktopSsoComputerAccount: Searching in global catalog(forest) and ehad.loc for
computer account AZUREADSSOACC
[12:25:37.912] [ 7] [INFORMATIONAL] TrySearchAccountUnderGlobalCatalog: Object was found in global catalog(forest), he
ce skipping ehad.loc search
[12:25:37.914] [ 7] [INFORMATIONAL] UpdateComputerAccount: Found SSO computer account at CN=AZUREADSSOACC,CN=Computers
DC=ehad,DC=loc. Updating its properties...
[12:25:37.916] [ 7] [INFORMATIONAL] UpdateComputerAccount: Granting full control to account admins and enterprise admi
s for computer account CN=AZUREADSSOACC,CN=Computers,DC=ehad,DC=loc...
[12:25:37.952] [ 7] [WARNING] Failed to remove inherited permissions on Sso computer account CN=AZUREADSSOACC,CN=Compu
ers,DC=ehad,DC=loc. Error : A constraint violation occurred.






azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SarahLevine-4503 avatar image
2 Votes"
SarahLevine-4503 answered JohnOnyeyiri-8463 commented

I did more digging and resolved this.

  • Run Powershell ‘as administrator’ on EH-DC2, where Azure AD Connect is running

  • cd “C:\Program Files\Microsoft Azure Active Directory Connect” (use quotes!)

  • Import-Module .\AzureADSSO.psd1

  • New-AzureADSSOAuthenticationContext

  • Get-AzureADSSOStatus | ConvertFrom-Json

  • $creds = Get-Credential

  • Update-AzureADSSOForest -OnPremCredentials $creds


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks this worked for me

0 Votes 0 ·
alejlw avatar image
0 Votes"
alejlw answered

This worked for me, many thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.