question

SEM-6854 avatar image
0 Votes"
SEM-6854 asked SEM-6854 answered

Reset krbtgt password in AADDS managed domain

As the title says: is it possible to reset krbtgt password in an Azure AD DS managed domain?
Bonus question: is the krbtgt automatically rotated in an Azure AD DS managed domain?

Backstory:
Having noticed that krbtgt's password last set date changed without our intervention we decided to preventively reset it.
Running the New-KrbtgtKeys.ps1 script returns an error, indicating that the administrator user has insufficient permissions, which is also described in Microsoft documentation.

azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SEM-6854 avatar image
0 Votes"
SEM-6854 answered

We opened a support ticket with Microsoft regarding krbtgt password rotation and got the following answer:

Our backend team has informed me that the krbtgt account password is rotated every 7 days.

This confirms that the krbtgt password is automatically rotated by Microsoft in Azure AD DS.

It would be nice if this information could be found in AADDS online documentation, but it's currently not the case.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered SEM-6854 commented

Yes, this appears to be possible. There are scripts for this here:

https://github.com/zjorz/Public-AD-Scripts
https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1

There is another thread related to this topic here.

The keys are not automatically rotated, but you can do so via Powershell:

 Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises

Let me know if this answers your question!



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your answer!

However, in this case we are not using an on-prem AD DS hybrid solution with Azure AD Connect. We have an Azure AD and configured Azure AD Domain Services, which provides the Kerberos service. Since this is a managed solution, Microsoft does not grant us domain/enterprise admin privileges, as it can be read in the FAQs

The script you proposed requires domain/enterprise admin privileges:

  - To execute this script, the account running the script MUST be a member of the "Domain Admins" or Administrators group in the
     targeted AD domain.
 - If the account used is from another AD domain in the same AD forest, then the account running the script MUST be a member of the
     "Enterprise Admins" group in the AD forest or Administrators group in the targeted AD domain. [...]
 - If the account used is from another AD domain in another AD forest, then the account running the script MUST be a member of the
     "Administrators" group in the targeted AD domain. [...]

The command you suggested uses the PoSh module AzureADKerberosServer, which is part of AD Connect for a hybrid Azure AD / On-prem AD DS scenario.

Thank you again for your kind answer, but I cannot accept it as the solution to my questions.


0 Votes 0 ·