如何:在 Azure 信息保护中续订对称密钥How-to: Renew the symmetric key in Azure Information Protection

对称密钥是对称密钥加密算法中用于加密和解密消息的密钥。A symmetric key is a secret that encrypts and decrypts a message in symmetric-key cryptography.

在 Azure Active Directory (Azure AD) 中,创建一个服务主体对象来代表一个应用程序时,该过程还会生成一个用于验证该应用程序的 256 位对称密钥。In Azure Active Directory (Azure AD), when you create a service principal object to represent an application, the process also generates a 256-bit symmetric key to verify the application. 此对称密钥的默认有效期为一年。This symmetric key is valid for one year by default.

下面逐步介绍了如何续订对称密钥。The following steps show how to renew the symmetric key.

必备条件Prerequisites

到期后续订对称密钥Renewing the symmetric key after expiry

与应用程序关联的对称密钥过期后,你无需创建新的服务主体。You don't have to create a new service principal when the symmetric key associated with your application has expired. 相反,可以使用 Microsoft Online Services (MSol) 提供的 PowerShell commandlet 为现有的服务主体颁发新的对称密钥。Instead, you can use the PowerShell commandlets provided by Microsoft Online Services (MSol) to issue a new symmetric key for an existing service principal.

为了说明这一过程,我们假定你已使用 New-MsolServicePrincipal 命令创建了一个新的服务主体。To illustrate this process, let's assume you have already created a new service principal using the New-MsolServicePrincipal command.

New-MsolServicePrincipalCredential -ServicePrincipalName "SupportExampleApp"

如下所示,创建过程将创建一个对称密钥和一个 AppPrincipalIdThe creation process creates a symmetric key and an AppPrincipalId as shown.

The following symmetric key was created as one was not supplied
ZYbF/lTtwE28qplQofCpi2syWd11D83+A3DRlb2Jnv8=

DisplayName : SupportExampleApp
ServicePrincipalNames : {7d9c1f38-600c-4b4d-8249-22427f016963}
ObjectId : 0ee53770-ec86-409e-8939-6d8239880518
AppPrincipalId : 7d9c1f38-600c-4b4d-8249-22427f016963
TrustedForDelegation : False
AccountEnabled : True
Addresses : []
KeyType : Symmetric
KeyId : acb9ad1b-36ce-4a7d-956c-40e5ac29dcbe
StartDate : 3/22/2017 3:27:53 PM
EndDate : 3/22/2018 3:27:53 PM
Usage : Verify

此对称密钥的到期时间为 2018 年 3 月 22 日下午 3:27:53。This symmetric key expires on 3/22/2018 at 3:27:53PM. 若要在此时间之后使用服务主体,需要续订对称密钥。To use the service principal beyond this time, you need to renew the symmetric key. 为此,请运行 New-MsolServicePrincipalCredential 命令。To do so, use the New-MsolServicePrincipalCredential command.

New-MsolServicePrincipalCredential -AppPrincipalId 7d9c1f38-600c-4b4d-8249-22427f016963

这将为指定的 AppPrincipalId 创建一个新的对称密钥。This creates a new symmetric key for the specified AppPrincipalId.

The following symmetric key was created as one was not supplied ON8YYaMYNmwSfMX625Ei4eC6N1zaeCxbc219W090v28-

如下所示,可以使用 GetMsolServicePrincipalCredential 命令验证新对称密钥是否与正确的服务主体相关联。You can use the GetMsolServicePrincipalCredential command to verify that the new symmetric key is associated with the correct service principal as shown. 请注意,此命令会列出当前与服务主体关联的所有密钥。Notice that the command lists all keys that currently associated with the service principal.

Get-MsolServicePrincipalCredential -AppPrincipalId 7d9c1f38-600c-4b4d-8249-22427f016963 -ReturnKeyValues $true

Type : Symmetric
Value :
KeyId : c1ac145f-e899-4c90-8a02-2cef40054fc5
StartDate : 3/24/2017 10:11:07 PM
EndDate : 3/24/2018 10:11:07 PM
Usage : Verify

Type : Symmetric
Value :
KeyId : acb9ad1b-36ce-4a7d-956c-40e5ac29dcbe
StartDate : 3/22/2017 3:27:53 PM
EndDate : 3/22/2018 3:27:53 PM
Usage : Verify

一旦验证对称密钥确实与正确的服务主体相关联后,即可使用新密钥更新服务主体的身份验证参数。Once you have verified that the symmetric key is indeed associated with the right service principal, you can update the service principal's authentication parameters with the new key.

然后,可以使用 Remove-MsolServicePrincipalCredential 命令删除旧的对称密钥,并使用 Get-MsolServicePrincipalCredential 命令验证密钥是否已删除。You can then remove the old symmetric key using the Remove-MsolServicePrincipalCredential command and verify that the key is removed using the Get-MsolServicePrincipalCredential command.

Remove-MsolServicePrincipalCredential -KeyId acb9ad1b-36ce-4a7d-956c-40e5ac29dcbe -ObjectId 0ee53770-ec86-409e-8939-6d8239880518