Hi Serge Caron,
How was the issue? It seems your previous answer has been deleted. I could not read it.
VP
With Server 2025, how do you avoid NTLM authentication for a RDP session originating from a non domain workstation ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 10%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Serge Caron
25
Reputation points
In order to reduce complexity, I am using a test domain consisting of a single domain controller ON PREMISES and a single user, the domain administrator.
There is a single role installed: Remote Desktop Gateway. None of the other 5 RDS roles are installed. Direct Access and/or VPNs are not allowed in this test.
The AD domain is MyDomain.local and the internal FQDN is MyServer.MyDomain.local
There is a Let's Encrypt certificate installed on this server for MyServer.MyDomain.TLD.
Finally, there is a single port 443 forwarded to the server from the firewall.
I can RDP into this server from the Internet to MyServer.MyDomain.local via RDG MyServer.MyDomain.TLD.
However, all logons are downgraded to NTLMv2 even if I set
rdgiskdcproxy:i:1
kdcproxyname:s:MyServer.Mydomain.TLD
In this test case, I am using a non domain joined Windows 10 Pro client (even if I know it is deprecated): we need to demonstrate RDG working with BYOD, including non Windows devices.
Is there a way to do this in Windows Server 2025 ?
Windows for business | Windows Server | Directory services | User logon and profiles
Answer accepted by question author
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VPHAN 25,000 Reputation points Independent Advisor2025-12-19T17:36:53.1433333+00:00
44 additional answers
Sort by: Most helpful
-
Serge Caron 25 Reputation points
2025-12-29T15:19:45.63+00:00 Hello VPHAN,
Here is the answer to the conumdrum: there is an exception for the builtin domain administrator.
When the client computer from which the connection is made is not a member of the same AD forest ("
SOMEDOMAIN.TLD") as the target computer and when the credentials are for any other user account, the target DC issues two DNS requests for "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.SOMEDOMAIN.TLD: type SRV, class IN" and "_kerberos._tcp.dc._msdcs.SOMEDOMAIN.TLD" where " .Upon receiving the "No such name" answer from the SOA public DNS servers of "somedomain.tld", the connection is downgraded to NTLMv1.2.
I do not know if exposing the builtin domain administrator account to RD connections is documented as an additionnal security risk.
A domain user no wanting to leave the current session can connect a domain-joined computer to a target computer using Kerberos by invoking a local account. In PowerShell 5.1, the command
Start-Process mstsc.exe -ArgumentList PathToConnector.rdp ` -Credential $(Get-Credential -Message "Specify a Local user account:")The connection is made in the context of the selected local user, meaning operations such as cut and paste are restricted.
However, the RDP session is Kerberos protected and the target user can be a member of the Protected Users group.
I will try to document this here.
Regards,
-
Serge Caron 25 Reputation points
2025-12-25T14:53:13.09+00:00 Hello VPHAN,
Approximately one third of the world population in 160 countries will celebrate Christmas today, either by conviction or by convention. Merry Christmas to you!
Here is the conumdrum: connections to the test rig (Server 2025) always succeed using "
prompt for credentials:i:0", wheter from a local account or a domain joined account on the same workstation.There is a vocabulary issue here but before I get to this, let's review the hardwired setup of these Server 2025. We have:
Internet --> Firewall External IPv4 --> Firewall Internal IPv4 --> Switch --> Server 2025 Static IPv4The only incoming traffic NATed to the Server 2025 is on TCP port 443. Using UDP port 3391 has no bearing on the issue.
KdcProxy is an application as far as IIS is concerned. I posted question https://learn.microsoft.com/en-us/answers/questions/5678882/what-are-the-risks-of-exposing-the-windows-kerbero with the exact IIS parameters used in both Server 2025.
With this in mind, we have:
- "
full address:s:myserver.mydomain.local" resolves to the internal IP address of the Server 2025 - "
gatewayhostname:s:myserver.mydomain.tld" resolves to the external IP address of the firewall - "prompt for credentials:i:1" should be set bnut this is not a necessary requirement
- "rdgiskdcproxy:i:1" is required to glue the proxy to the DC
Which leaves us with "
kdcproxyname:s:...": what is the name space used here ? By construction, the firewall will not reflect anyting to the server if the server attemps to connect using this value. The client will not connect directly to anything inside the realm. Finally, if this should be an SPN (HTTP, TERMSVR, etc) what is expected here ?Right now, this is not going the way you present it.
Regards,
- "
-
Serge Caron 25 Reputation points
2025-12-22T16:31:52.12+00:00 Hello VPHAN,
I now have krbtgt encrypted with AES-256-CTS-HMAC-SHA1-96 instead of RC4 and I can see that this has no bearing on the issue.
If I force my production server to always present the myserver.mydomain.tld certificate (using SSLCertificateSHA1Hash), I can see the certificate mismatch when the client (joined to a domain that has no trust relationship with the target) connects.
mstsc.exe displays the name of the target machine myserver.mydomain.local and the subject name of the certificate rdg.mydomain.tld and ask to confirm the connection which will then be downgraded to NTLM.
This does not happen if the client is not domain joined: this can be a local account on the same machine.
I do not observe this behavior with my test Server 2025: kerberos succeeds whether the client is local or domain joined to some other domain. A tedious compare of the SPNs on both servers yields no indication of the reason for which a mismatch occurs.
The mismatch is created on purpose. Why does mstsc.exe succeeds in one case and not the other ?
Regards,
-
VPHAN 25,000 Reputation points Independent Advisor
2025-12-25T01:33:41.54+00:00 You have done an outstanding job isolating the variables. The behavior you are seeing with the "PromptCredentialOnce" setting is the final key to the Domain-Joined behavior, and it makes perfect sense architecturally.
Here are the answers to your remaining questions to finalize the BYOD and Untrusted-Domain scenarios.
- The WOW6432Node Registry Key
Verdict: You should remove the reference to WOW6432Node.
Why: WOW6432Node is strictly for 32-bit applications running on a 64-bit OS. The RDP client (mstsc.exe) and the Local Security Authority (lsass.exe) handling Kerberos are native 64-bit processes on modern Windows. They read from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters.
Mirroring: There is no automatic mirroring for these policy keys. If you write to the WOW6432Node path, the native 64-bit OS ignores it.
- The Domain-Joined Behavior (The "SSO" Trap)
You asked: "In your mind... the user's domain mechanic will take over... and there will be a failure to create an independent tunnel... Am I reading your request correctly?"
Yes, precisely. When you are logged into a Domain-Joined workstation (Domain A) and attempt to connect to an external, untrusted Realm (Domain B):
Default Behavior (promptcredentialonce:i:0): The RDP client attempts Single Sign-On (SSO) or "Lazy Authentication." It tries to resolve the target SPN (TERMSRV/Target) using your current Identity (Domain A). It asks the Domain A KDC for a referral ticket to Domain B.
Since there is no Trust Relationship, Domain A's KDC says: "I don't know where that is."
Instead of falling back to your local ksetup mappings immediately, the RDP client often interprets this "Path Not Found" from its own DC as a hard stop for Kerberos, and immediately downgrades to NTLM to prompt you.
The Fix (promptcredentialonce:i:1): This setting forces Pre-Authentication. It demands credentials before any network traffic is generated.
You enter: DOMAIN_B\User.
mstsc.exe now explicitly knows the target context is DOMAIN_B.
It bypasses the local Domain A KDC entirely.
It consults the local registry (ksetup), finds the Proxy Mapping for DOMAIN_B, and successfully initiates the Kerberos tunnel.
This explains why your Local User works (no Domain A context to interfere) and why PromptCredentialOnce fixes the Domain User. For untrusted cross-domain RDP, promptcredentialonce:i:1 is best practice.
- The Certificate Mismatch (The "Symptom")
You observed: "mstsc.exe displays the name of the target machine myserver.mydomain.local and the subject name of the certificate rdg.mydomain.tld... This mismatch is created on purpose."
This mismatch warning appears only because Kerberos (NLA) failed.
When Kerberos Works: The mutual authentication happens at the protocol layer. The session is encrypted inside the verified Kerberos tunnel. The RDP client trusts the server because the Ticket proves identity. It barely looks at the SSL certificate's name.
When Kerberos Fails: The client falls back to Standard RDP Security (TLS). It connects to rdg.mydomain.tld (the Gateway IP). The Server presents its cert (rdg.mydomain.tld). The RDP Client, however, was trying to reach myserver.mydomain.local (from the .rdp file).
The Error: "You asked for myserver (Internal), but this server is proving it is rdg (External)."
Conclusion: This warning is just the visual confirmation that you fell back to NTLM/TLS. It disappears the moment promptcredentialonce:i:1 restores Kerberos.
Sign in to comment -
-
Serge Caron 25 Reputation points
2025-12-20T21:02:11.6533333+00:00 OOPS! That's not quite it. There seems to be a dependency on the remote DC support for RC4. No RC4 = pass, RC4 = downgrade, both DC Server 2025 with the RDG role installed.Back to your valuable knowledge ;-)
Regards,