[cryptonector]

Kerberos has a protocol for when you don't have a line of sight to the KDC: IAKERB. IIRC MSFT is very interested in it in order to kill off NTLM finally.

[awakecoding]

IAKerb still hasn't shipped - it's a preview feature. Meanwhile, we've been doing KDC proxying successfully in Devolutions Gateway for several years. Sometimes you can wait forever for a supposedly better solution, or you can just make it work in the most obvious way. In the end, all you need is to forward KDC messages, right? It's annoying that it's out-of-band, but the KDC proxying protocol is just an HTTP POST that takes a request message, and sends the response message back.

[cryptonector]

Right, but while I know a lot about Kerberos I know very little about AVD. Does Microsoft expose an HTTPS proxy for the KDCs?

[awakecoding]

You need to deploy the KDC proxy yourself, and then add it to the .RDP file options in your AVD feed. It's not something that works out of the box: https://learn.microsoft.com/en-us/azure/virtual-desktop/key-...

[cryptonector]

Aha. Thanks!