andrewheberle
commented
10 months ago Probably bad form responding to my own issue but it looks like the problem is that the use of io.ReadAll in kdcproxy.KerberosProxy.forward coupled with working over TCP means it seems to just waits until the deadline expires and the connection is closed.
After having a look at a Python based KDC Proxy implementation (https://github.com/latchset/kdcproxy) the correct approach seems to be to read the first 4 bytes in order to work out the length of the Kerberos reply and then read than number of bytes before closing the connection.
I’ve implemented this in my own KDC Proxy and this seems to work for me however I wouldn’t suggest making use of this code at the moment as it’s still under development, but assuming I’m not totally wrong with my findings, I’ll try to put a PR together to resolve this.
bolkedebruin
I was attempting to utilise the KDC Proxy functionality of this project "standalone" to avoid having to run this service on a Windows server for external users, however this does not seem to work.
I had assumed the KDC Proxy would work as a drop-in replacement if it follows the specification for MS-KKDCP here:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/5bcebb8d-b747-4ee5-9453-428aec1c5c38
Should this work?
I had the following env vars set (this is running as a container):
The Kerberos config is very basic to simply enable DNS lookups of the KDC:
When using this KDC Proxy for an RDP session (not via the RDP GW) that uses smart-card authentication (which requires Kerberos) the connection fails complaining about NLA and the domain controller not being reachable by the client, however dropping in a Python based KDC Proxy implementation (https://github.com/latchset/kdcproxy), everything works as expected and the Kerberos requests/responses are proxied to the DC's internally from the external client.
Am I totally abusing this feature?
I also attempted to just separate out the KDC Proxy functionality into my own project (https://github.com/andrewheberle/go-kdcproxy), however this also does not work.