(First of all big thanks to Steve Syfuhs who discovered this and also to Murray Webber for showing this is possible through Azure App Proxy)
Most large corporations are still using Active Directory and although the move to cloud is well underway Active Directory is not going away anytime soon.
One of the issues that can arise is if users do not have VPN access or other direct sight to Domain Controllers is the password on the device cannot be synced to the domain, until a user visits an office site they cannot change their corporate password from their laptop or have their password reset by Service Desk and replicated to their device. This is where KDC Proxy which is a service used in RDP Gateway and Direct Access can help.
**Before we start setup of this I’ll just say this is unsupported by Microsoft, this is not an independent product from Microsoft and is a byproduct of other supported services.**
Setup
This setup is in a Hybrid Azure environment where on premises Active Directory is being synced to Azure so services like Azure Application Proxy are available to us. Note ** This can be setup without Azure but the KDC proxy server would need a public IP to be exposed to the internet with Port 443 inbound open.
Certificate Creation
I used a PKI Certificate, you could use a public cert if you want to buy one
On your certificate server Right Click Certificate Templates and click manage
Duplicate Template of the Web Server Certificate
In General Change the Name of your cert to something of your choosing i.e KDC Proxy or similar
In Security add your KDC Proxy server you are going to use and give it read and enroll rights
Click Apply and OK you can now deploy issue this certificate to be used in a moment once the KDC server is setup
KDC Proxy Server Setup Part 1
You will need a domain joined Windows 2012, 2016, 2019 server.
Add Remote Desktop Services Server Role (there are arguments online on whether this is needed as KDCProxy service exists even without this, however like other testers have found, I could not get this solution to work without adding this)
On a Windows 2012, 2016, 2019 server go to server manager and add Remote Desktop Services
Click next next until you get to Role Services and choose Remote Desktop Gateway — click next next and complete the setup
Reboot the server
Azure App Proxy Setup
Go to Azure Active Directory and Enterprise Applications
Click new application
Choose On Premises Application
Add the following details
Name: A name of your choosing i.e KDC App Proxy (just names the app in Azure)
Internal URL: This is your internal KDC Servers FQDN i.e mykdcserver.internal.mycompany.com
External URL: This will Automatically be created as you type the other details copy and paste / take a note of this external url once the fullname is there as we will need it for our certificate we created.
Pre Authentication: Passthrough
Connector Group: Unless you have created a connector Group you can leave as default / Connector groups make things neater, you can have different groups for different apps you can also group connectors together
KDC Proxy Server Setup Part 2
Setup proxy connector
Go to Azure Application Active Directory > Application Proxy
Click Download Connector Service
Copy the setup file to your KDC server and run setup (you will need to sign into azure when it prompts, also as its a server you may get usual java blockages etc if you do go into internet settings and unblock Java
Open Computer certs CertLM.msc and request a computer cert
You Should find the KDC Cert you Issued earlier as you allowed this KDC server rights to enroll the Cert Click the more information field
In the Subject enter the following
Common Name: The internal FQDN of your KDC App Proxy Server i.e mykdcserver.internal.mycompany.com
DNS: Enter Both the internal FQDN of Your KDC App Proxy Server same as you put in Common name and also enter the msapproxy address you noted down from the Enterprise App you just created i.e kdcappproxy-mycompany.mspproxy.net
General its worth giving it a name so its easy to find if you ever need it name it what you like, click OK and were done
Go to the cert you just created and get the thumbprint CtrlV it to notepad (You will need to remove the spaces
Go to your Azure App you created and get the Application ID
open Administrative Command Prompt and enter the following commands
(You may need to amend the quotation marks if they don’t paste well)
- netsh http add urlacl url=https://+:443/KdcProxy user=”NT authority\Network Service”
2. netsh http add sslcert ipport=0.0.0.0:443 certhash=mycertthumbprintgoeshere appid={my azure app ID goes here}
(Replace the Cert hash with the thumbprint and the Appid with the Application ID from Azure)
3. sc config kpssvc start=auto
Open Powershell and run the below Registry keys
4) As long as you are not using smart cards or Windows Hello for authentication you should run the below to disable the certificate authentication requirement.
REG ADD “HKLM\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings” /v HttpsClientAuth /t REG_DWORD /d 0x0 /f
5) Also if you ran step 3 enable password authentication
REG ADD “HKLM\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings” /v DisallowUnprotectedPasswordAuth /t REG_DWORD /d 0x0 /f
Finally Reboot the server
The kpssvc service should start you can check this in services
Client Configuration (on your laptop that you are going to test with
You will need to tell clients where the proxy is you can do this 2 ways
add 3 registry keys and values as below
Dword
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos
KdcProxyServer_Enabled
Value 1
String Value create the key if it doesnt exist called ProxyServers)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\KdcProxy\ProxyServers
Name
internal.mycompany.com
Value
<https kdcappproxy-mycompany.mspproxy.net:443:kdcproxy />
( Enter your company internal FQDN and the microsoft app external url it must be in this format enclosed with the <https />
Dword
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
NoRevocationCheck
Value 0
Or if you want to set Group Policy
Computer Policies
Administrative Templates\System\Kerberos\Specify KDC proxy servers for Kerberos clients
We are now finished reboot your laptop and as long as you have internet login and after a few minutes type from a command promt elevated
klist get krbtgt
even though you are not on a VPN or connected to a domain controller directly you should see something like the following
Troubleshooting
Steve Syfuhs has a great fiddler extension for Kerberos to see what going on
https://syfuhs.net/a-fiddler-extension-for-kerberos-messages
