Thursday, 9 May 2019

Azure AD - Roll over Kerberos keys

After enabling seamless SSO, you need to roll over Kerberos decryption key every month or so.
Process is desribed on this site:

However, you can need to adjust your installation on the server to run AzureAD 2.0.
Here is the short tutorial:

And here the effect:

Wednesday, 13 February 2019

Password sync does not work ADConnect and Office365

You just configured your ADConnect and password sync doesn't work?
Or maybe it just stopped after some configuration changes?

If you are getting errors with ID 611, then you need to check AD permissions for sync account, or if you are not sure, run embedded cmdlet in ADSyncConfig module (it's included in AD Connect from 1.1.880.0 released in August 2018 according to Microsoft)

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName YOUR_ADSYNC_ACCOUNTHERE -ADConnectorAccountDomain YOUR_LOCALDOMAIN_HERE