Hacker News new | ask | show | jobs
by awakecoding 448 days ago
RDP-over-SSH will break Kerberos authentication for two reasons: 1) you'll point the RDP client to localhost and a random port and 2) you won't get a KDC line-of-sight. The irony is Microsoft has demoed this with SSH over Azure Arc, which can only result in an NTLM downgrade.

IronRDP is designed to work with Devolutions Gateway (https://github.com/Devolutions/devolutions-gateway) for just-in-time RDP connections made from the web or through the desktop client. Devolutions Gateway also supports just-in-time KDC proxying alongside the main RDP connection, making Kerberos possible.

You can install the free standalone web access package of Devolutions Gateway to try it out, it will give you a simple web interface where you can enter the hostname, username and password.

But if you really want the simplest solution, it's with the rest of the Devolutions stack with Remote Desktop Manager and Devolutions Server. In the end, you'll be able to make RDP connections from RDM or through the web with just a double-click, and it'll automatically generate short-lived tokens and make RDP + Kerberos work seamlessly: https://devolutions.net/gateway/
2 comments
cryptonector 448 days ago
Kerberos has a protocol for when you don't have a line of sight to the KDC: IAKERB. IIRC MSFT is very interested in it in order to kill off NTLM finally.
link
awakecoding 448 days ago
IAKerb still hasn't shipped - it's a preview feature. Meanwhile, we've been doing KDC proxying successfully in Devolutions Gateway for several years. Sometimes you can wait forever for a supposedly better solution, or you can just make it work in the most obvious way. In the end, all you need is to forward KDC messages, right? It's annoying that it's out-of-band, but the KDC proxying protocol is just an HTTP POST that takes a request message, and sends the response message back.
link
cryptonector 447 days ago
Right, but while I know a lot about Kerberos I know very little about AVD. Does Microsoft expose an HTTPS proxy for the KDCs?
link
awakecoding 447 days ago
You need to deploy the KDC proxy yourself, and then add it to the .RDP file options in your AVD feed. It's not something that works out of the box: https://learn.microsoft.com/en-us/azure/virtual-desktop/key-...
link
cryptonector 447 days ago
Aha. Thanks!
link
mmooss 448 days ago
Here's RDP over ssh, per one commenter:

https://news.ycombinator.com/item?id=43441584

link