search

Devolutions / devolutions-gateway

A blazing fast relay server adaptable to different protocols and desired levels of traffic inspection.
Apache License 2.0
67 stars 10 forks source link

KDC not working #954

Open Necrotyr opened 1 month ago

Necrotyr commented 1 month ago

Howdy,

We're trying to get KDC working with the gateway as we've started using the Protected Users group, because of our security policy, We've enabled API hooking in RDM and pointed the gateway to a DC in the Devolutions Server, but it doesn't appear to be working.

When looking at the gateway logs I spot these entries, that I assume is the cause.

2024-07-31T08:28:34.525294Z INFO tcp{client=x.x.x.x:51033}:generic_client{session_id="01157001-44d0-41b8-a0d4-e0b7b263cb78" session_id="01157001-44d0-41b8-a0d4-e0b7b263cb78" protocol="Rdp" protocol="Rdp" target="tcp://server.domain.example:3389" target="tcp://server.domain.example:3389"}: devolutions_gateway::generic_client: TCP forwarding 2024-07-31T08:28:34.548042Z ERROR listener{port=7272}:https{client=x.x.x.x:51029}:request{method=POST path=/jet/KdcProxy}: devolutions_gateway::http: error=400 Bad Request at devolutions-gateway\src\api\kdc_proxy.rs:70:24: Requested domain is not supported 2024-07-31T08:28:34.548093Z INFO listener{port=7272}:https{client=x.x.x.x:51029}:request{method=POST path=/jet/KdcProxy}: devolutions_gateway::middleware::log: duration=511µs status=400 Bad Request 2024-07-31T08:28:34.559443Z ERROR listener{port=7272}:https{client=x.x.x.x:51029}:request{method=POST path=/jet/KdcProxy}: devolutions_gateway::http: error=400 Bad Request at devolutions-gateway\src\api\kdc_proxy.rs:70:24: Requested domain is not supported 2024-07-31T08:28:34.559485Z INFO listener{port=7272}:https{client=x.x.x.x:51029}:request{method=POST path=/jet/KdcProxy}: devolutions_gateway::middleware::log: duration=467µs status=400 Bad Request 2024-07-31T08:28:34.928776Z INFO tcp{client=x.x.x.x:51028}:generic_client{session_id="ddcbc8c5-dec3-4e4c-9d7b-8306ba4b45a1" session_id="ddcbc8c5-dec3-4e4c-9d7b-8306ba4b45a1" protocol="Rdp" protocol="Rdp" target="tcp://server.domain.example:3389" target="tcp://server.domain.example:3389"}: devolutions_gateway::proxy: Forwarding ended abruptly reason="An existing connection was forcibly closed by the remote host. (os error 10054)"

The gateway is joined to the same domain as the domain controller and the server we're trying to RDP to.

DVLS is 2024.1.15.0 RDM is 2024.1.32.0 Gateway is 2024.3.0

Any suggestions?

awakecoding commented 1 month ago

Such support requests should normally be sent to our forums instead of this repository. This being said, the error thrown is when the requested Kerberos realm in the short-lived KDC proxying token does not match the Kerberos realm of the KDC proxying message.

Have you explicitly configured the Kerberos server URL and Kerberos realm in DVLS for the given Gateway? Is your RDP connection entry using the machine FQDN, with the username in UPN format?

Necrotyr commented 1 month ago

Hi Marc-André, I'll move this to the forums if you want, didn't think about that, sorry.

To answer your questions; on the Devolutions server I've set the values for the gateway in question as follows: KDC Server URL: tcp://dc.ourdomain.tld:88 Kerberos realm: ourdomain.tld (i.e. the full AD domain)

The server entry in RDM has server.ourdomain.tld in the host field, both the server we try to RDP to and the gateway itself are domain joined to ourdomain.tld.

Credentials are sourced from an entry in my user vault which is configured to use UPN.