Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KDC not working #954

Open
Necrotyr opened this issue Jul 31, 2024 · 2 comments
Open

KDC not working #954

Necrotyr opened this issue Jul 31, 2024 · 2 comments

Comments

@Necrotyr
Copy link

Necrotyr commented Jul 31, 2024

Howdy,

We're trying to get KDC working with the gateway as we've started using the Protected Users group, because of our security policy, We've enabled API hooking in RDM and pointed the gateway to a DC in the Devolutions Server, but it doesn't appear to be working.

When looking at the gateway logs I spot these entries, that I assume is the cause.

2024-07-31T08:28:34.525294Z INFO tcp{client=x.x.x.x:51033}:generic_client{session_id="01157001-44d0-41b8-a0d4-e0b7b263cb78" session_id="01157001-44d0-41b8-a0d4-e0b7b263cb78" protocol="Rdp" protocol="Rdp" target="tcp://server.domain.example:3389" target="tcp://server.domain.example:3389"}: devolutions_gateway::generic_client: TCP forwarding
2024-07-31T08:28:34.548042Z ERROR listener{port=7272}:https{client=x.x.x.x:51029}:request{method=POST path=/jet/KdcProxy}: devolutions_gateway::http: error=400 Bad Request at devolutions-gateway\src\api\kdc_proxy.rs:70:24: Requested domain is not supported
2024-07-31T08:28:34.548093Z INFO listener{port=7272}:https{client=x.x.x.x:51029}:request{method=POST path=/jet/KdcProxy}: devolutions_gateway::middleware::log: duration=511µs status=400 Bad Request
2024-07-31T08:28:34.559443Z ERROR listener{port=7272}:https{client=x.x.x.x:51029}:request{method=POST path=/jet/KdcProxy}: devolutions_gateway::http: error=400 Bad Request at devolutions-gateway\src\api\kdc_proxy.rs:70:24: Requested domain is not supported
2024-07-31T08:28:34.559485Z INFO listener{port=7272}:https{client=x.x.x.x:51029}:request{method=POST path=/jet/KdcProxy}: devolutions_gateway::middleware::log: duration=467µs status=400 Bad Request
2024-07-31T08:28:34.928776Z INFO tcp{client=x.x.x.x:51028}:generic_client{session_id="ddcbc8c5-dec3-4e4c-9d7b-8306ba4b45a1" session_id="ddcbc8c5-dec3-4e4c-9d7b-8306ba4b45a1" protocol="Rdp" protocol="Rdp" target="tcp://server.domain.example:3389" target="tcp://server.domain.example:3389"}: devolutions_gateway::proxy: Forwarding ended abruptly reason="An existing connection was forcibly closed by the remote host. (os error 10054)"

The gateway is joined to the same domain as the domain controller and the server we're trying to RDP to.

DVLS is 2024.1.15.0
RDM is 2024.1.32.0
Gateway is 2024.3.0

Any suggestions?

@awakecoding
Copy link
Contributor

Such support requests should normally be sent to our forums instead of this repository. This being said, the error thrown is when the requested Kerberos realm in the short-lived KDC proxying token does not match the Kerberos realm of the KDC proxying message.

Have you explicitly configured the Kerberos server URL and Kerberos realm in DVLS for the given Gateway? Is your RDP connection entry using the machine FQDN, with the username in UPN format?

@Necrotyr
Copy link
Author

Necrotyr commented Aug 2, 2024

Hi Marc-André, I'll move this to the forums if you want, didn't think about that, sorry.

To answer your questions; on the Devolutions server I've set the values for the gateway in question as follows:
KDC Server URL: tcp://dc.ourdomain.tld:88
Kerberos realm: ourdomain.tld (i.e. the full AD domain)

The server entry in RDM has server.ourdomain.tld in the host field, both the server we try to RDP to and the gateway itself are domain joined to ourdomain.tld.

Credentials are sourced from an entry in my user vault which is configured to use UPN.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants