Client Certificate Renewal for the Azure AD Passthrough Authentication Agent

We recently came across an issue where the client certificate for the Azure AD Passthrough Authentication Agent wasn’t being renewed automatically. I understand that it should be renewed about 30 days out, however this hadn’t happened and we were fast approaching expiry.

A simple way to renew the certificate manually is to jump onto the server where the passthrough agent is installed and run the following Powershell commands to re-register the agent with Azure AD. The agent status in Azure AD will momentarily change to Inactive, but will then become Active again. You’ll need to run the .ps1 script from the directory where the Passthrough Agent is installed, typically this is under C:\Program Files\.

You can probably achieve the same result by uninstalling and reinstalling the agent also, but I haven’t tried that method.

PS C:\Program Files\Microsoft Azure AD Connect Authentication Agent>

$User = '<Insert Global Administrator Username Here>'

$PlainPassword = '<Insert Global Administrator Password Here>'

$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force

$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $SecurePassword

.\RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" -moduleName "PassthroughAuthPSModule" -Authenticationmode Credentials -Usercredentials $cred -Feature PassthroughAuthentication

Local Administrator Password Solution

I’ve worked for a number of organisations and with customers who carry out penetration testing on their computer networks. One of the common issues that is raised around penetration testing of Windows clients is that the local administrator password is usually the same on all clients and this increases the risk of a Pass-the-Hash compromise.

Microsoft have now addressed this issue by releasing the Local Administrator Password Solution (LAPS) which in my opinion is long overdue.

Basically LAPS still uses a common local administrator account name, but generates a random password for each client and stores that password in a confidential attribute against the machine account in Active Directory.

The password can then be read from Active Directory by those users who are authorised to do so.

You can read more about this tool and download it here.