Hi Serge Caron,
How was the issue? It seems your previous answer has been deleted. I could not read it.
VP
With Server 2025, how do you avoid NTLM authentication for a RDP session originating from a non domain workstation ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 10%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Serge Caron
25
Reputation points
In order to reduce complexity, I am using a test domain consisting of a single domain controller ON PREMISES and a single user, the domain administrator.
There is a single role installed: Remote Desktop Gateway. None of the other 5 RDS roles are installed. Direct Access and/or VPNs are not allowed in this test.
The AD domain is MyDomain.local and the internal FQDN is MyServer.MyDomain.local
There is a Let's Encrypt certificate installed on this server for MyServer.MyDomain.TLD.
Finally, there is a single port 443 forwarded to the server from the firewall.
I can RDP into this server from the Internet to MyServer.MyDomain.local via RDG MyServer.MyDomain.TLD.
However, all logons are downgraded to NTLMv2 even if I set
rdgiskdcproxy:i:1
kdcproxyname:s:MyServer.Mydomain.TLD
In this test case, I am using a non domain joined Windows 10 Pro client (even if I know it is deprecated): we need to demonstrate RDG working with BYOD, including non Windows devices.
Is there a way to do this in Windows Server 2025 ?
Windows for business | Windows Server | Directory services | User logon and profiles
Answer accepted by question author
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VPHAN 25,000 Reputation points Independent Advisor2025-12-19T17:36:53.1433333+00:00
44 additional answers
Sort by: Most helpful
-
Serge Caron 25 Reputation points
2025-12-15T22:33:05.5633333+00:00 Hello VPHAN,
I have more control over the Server 2022 so I will concentrate on this server first.
There is some use case on this server for SSTP but not when using IPv6. So, the binding was removed. By the way, I did add some warnings in my script to alert for this condition.
I have also updated the server to the latest build (just in case...).
Finally, I have enabled the Kerberos-KDCProxy event log.
When a connection is attempted, I see events 400 ("An HTTP request was recived"), an event 306 ("Rediscover the KDC for domain mydomain.tld" notice the case: it matches the domain's UPN), an event 309 (KDC ...IP... (\FQDN of the DC) rediscovered for domain mydomain.tld/MYDOMAIN.TLD depending on UPN).
This sequence is repeated three times as if the explicit KDC mapping is ignored by the RDG.
On this domain, there is a single DC and "dcdiag /test:CheckSecurityError" sucessfully passes all tests.
All internal RDP sessions display the padlock "Identify Verified by Kerberos".
The RDG server does not log the NTLM or Kerberos events, which is an annoyance considering event 400 quoted above.
The server is presently at 21H2 Build 20348.4529 in case this is significant.
There is a piece missing :-(
Regards,
-
VPHAN 25,000 Reputation points Independent Advisor
2025-12-16T03:05:42.9+00:00 The "Missing Piece" here is how the KDC Proxy service (KpsSvc) determines Routing vs. Realm.
The specific events you are seeing (Events 306 and 309) combined with the "Three Retries" loop tell the whole story: The KDC Proxy is ignoring your Explicit Mapping because of a string mismatch, failing over to DNS Discovery, and then likely hitting a generic routing or strict-checking wall.
You mentioned the script sets up the registry key based on
(Get-WmiObject Win32_ComputerSystem).Domain.ToUpper(). On your Member Server, this creates a key for the Active Directory Domain (e.g.,MYDOMAIN.LOCAL).However, your logs show:
Rediscover the KDC for domain mydomain.tld. This implies your client is sending the request with the Realm/Domain set tomydomain.tld(likely derived from the UPN you typed:******@mydomain.tld).The mismatch:
Request Realm: mydomain.tld
Registry Key: MYDOMAIN.LOCAL
Because KpsSvc is extremely literal, it looks for HKLM...\KdcProxy\mydomain.tld. It finds nothing. It concludes: "I have no static route for this realm." It then falls back to DNS Discovery (Event 306), finds the DC via DNS (Event 309), and attempts to send the packet.
=> Why the Connection Fails after Discovery (The "Loop")?
The sequence repeats three times because the connection is timing out or being reset, not because of an authentication error (Bad Password would stop it instantly).
When
KpsSvcdoes dynamic discovery, it might be attempting to communicate via UDP 88 first, or it might be resolving to an IP that is reachable but restricted. When you use the Explicit Registry Mapping, you effectively force the Proxy to use TCP 88 (the preferred method for KDC Proxy) and target the specific IP addresses you define, bypassing the vagaries of DNS and UDP fragmentation."No Events" on the RDG: You are correct that the lack of Security Logs is annoying, but it is architecturally normal. The RD Gateway, acting as a KDC Proxy, is a "Layer 4" tunnel for Kerberos. It passes the encrypted blob from Client to DC. It cannot peek inside to see who is logging in or if it succeeded. It only sees the TCP stream open and close. The audit trail lives solely on the DC.
=> You need to add a KDC Proxy mapping for the External/UPN Domain (
mydomain.tld) that points to the same Internal DCs.$IncomingRealm = "mydomain.tld"
$KdcProxyBase = "HKLM:\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings\KdcProxy"
$AliasPath = "$KdcProxyBase$IncomingRealm"
$OfficialDomain = (Get-WmiObject Win32_ComputerSystem).Domain.ToUpper()
$OfficialPath = "$KdcProxyBase$OfficialDomain"
if (Test-Path $OfficialPath) {
$DCs = (Get-ItemProperty -Path $OfficialPath).KdcNames Write-Host "Detected DCs from main config: $DCs" Write-Host "Creating Alias Mapping for: $IncomingRealm" if (-not (Test-Path $AliasPath)) { New-Item -Path $AliasPath -Force | Out-Null } # Create the mapping for the alias New-ItemProperty -Path $AliasPath -Name "KdcNames" -Type MultiString -Value $DCs -Force Write-Host "Alias created. Restarting KpsSvc..." Restart-Service KPSSVC} else {
Write-Warning "Could not find the main domain configuration at $OfficialPath"}
Verification
- Run the script.
- Attempt the connection from the client.
- Check the
Kerberos-KDCProxylog again.- Success Indicator: You should no longer see Event 306 ("Rediscover"). Instead, the proxy will silently hit the registry cache and forward the traffic immediately via TCP.
- If it still fails, check the Windows Firewall on the Domain Controller. Ensure it allows TCP Port 88 (Kerberos) from the IP Address of the Server 2022 Member Server. (In a default DC setup, this is allowed, but in hardened environments, it might be restricted to "Domain Controllers Only" if not carefully scoped).
Sign in to comment -
-
VPHAN 25,000 Reputation points Independent Advisor
2025-12-15T18:41:05.5833333+00:00 To answer your question directly: Yes, this is a conflict between two applications, and it is the primary cause of your issue.
The presence of the AppID {ba195980-cd49-458b-9e23-c84ee0adcd75} on the IPv6 binding [::]:443 is fatal for RD Gateway connections originating from IPv6-enabled clients (which almost all modern Windows clients are). To explain:
AppID {4dc3e181-e14b-4a21-b022-59fc669b0914}: This is IIS (Internet Information Services). RD Gateway and the KDC Proxy run on top of IIS. They rely on IIS to receive the traffic, parse the /remoteDesktopGateway/ or /KdcProxy URL, and route it to the correct application pool.
AppID {ba195980-cd49-458b-9e23-c84ee0adcd75}: This is the AppID for SSTP (Secure Socket Tunneling Protocol), a component of the Routing and Remote Access Service (RAS).
HTTP.sys (the kernel-mode driver handling port 443) uses IP Listen Lists and AppID bindings to decide which application stack "owns" a packet. When you have a specific binding for [::]:443 assigned to the SSTP AppID, and a generic binding for 0.0.0.0:443 assigned to the IIS AppID:
Your client connects via IPv6 (preferred by Windows). HTTP.sys matches the traffic to the specific [::]:443 listener. It hands the traffic to the SSTP stack. SSTP does not know what /remoteDesktopGateway/ or /KdcProxy is. It expects a VPN handshake. The request fails or times out. The client, unable to establish the HTTP transport for the Proxy, assumes the Gateway is unreachable or incapable of that auth method, and silently downgrades or fails the specific Kerberos Pre-Auth leg.
You mentioned you "updated" the faulty association. If you used netsh http update sslcert, you likely only updated the Certificate Hash but left the AppID as {ba19...}. This means SSTP still owns the port, just with a new valid certificate. The traffic is still going to the wrong destination.
=> So the solution is to delete the Rogue Binding
You do not need to "update" the IPv6 binding to point to IIS. Typically, if you remove the specific IPv6 override, IIS (which is bound to 0.0.0.0:443 but usually listens on the "Any" interface ::) will automatically pick up the traffic. If strict inclusion is required, you must add it with the IIS AppID.
On both Production Servers (Server 2022 and Server 2025), execute the following:
Delete the conflicting IPv6 binding: netsh http delete sslcert ipport=[::]:443
Verify IIS pickup: Restart the World Wide Web Publishing Service (W3SVC). Run netsh http show sslcert.
Scenario A: You only see 0.0.0.0:443. Test connectivity. IIS often handles IPv6 traffic via the IPv4 listen socket in dual-stack mode.
Scenario B: If you need an explicit IPv6 binding (common on hardened servers), add it back using the IIS AppID:
netsh http add sslcert ipport=[::]:443 certhash=<YOUR_THUMBPRINT> appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=MY
Regarding the Server 2022 "Realm\UPN" Issue, once you fix the binding above, the Server 2022 RDG should start receiving the KDC Proxy traffic correctly. However, if after fixing the binding you still see the
realm\UPNissue: Ensure your script's logic for theKdcProxyregistry key uses the exact casing expected by the client. In your script:$DomainName = (Get-WmiObject Win32_ComputerSystem).Domain.ToUpper()
If your client sends the realm as
MYDOMAIN.LOCALbut the registry key is created asmydomain.local(or vice versa),KpsSvcshould be case-insensitive, but I have seen edge cases where it matters. Since you enforce.ToUpper()in the script, you are likely safe, but verify that the Key Name in the registry matches exactly whatklistshows on the client side.I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
VP
-
Serge Caron 25 Reputation points
2025-12-15T16:27:21.69+00:00 OOPS! I forgot to note the addition regarding non-DC RDGs.
Immediately after the "If ($RDSRole.Installed) {" statement, I added the code below.
The behavior of the Server 2022 RDG stays the same, wheter I just restart the kdssvc service or do a full system restart.
Regards,
### Explicit KDC Mapping (Critical for Non-DC Gateways) Try { Get-ADDomainController -Identity $RDG -ErrorAction Stop | Out-Null } Catch { $DomainName = (Get-WmiObject Win32_ComputerSystem).Domain.ToUpper() $KdcProxyPath = "HKLM:\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings\KdcProxy\$DomainName" If (-not (Test-Path $KdcProxyPath)) { New-Item -Path $KdcProxyPath -Force | Out-Null } # Get actual DCs for the domain $DCs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName New-ItemProperty -Path $KdcProxyPath -Name "KdcNames" -Type MultiString -Value $DCs -Force } -
Serge Caron 25 Reputation points
2025-12-15T16:25:34.04+00:00 OOPS! I forgot to note the addition regarding non-DC RDGs.
Immediately after the "If ($RDSRole.Installed) {" statement, I added the code below.
The behavior of the Server 2022 RDG stays the same, wheter I just restart the kdssvc service or do a full system restart.
Regards,
### Explicit KDC Mapping (Critical for Non-DC Gateways) Try { Get-ADDomainController -Identity $RDG -ErrorAction Stop | Out-Null } Catch { $DomainName = (Get-WmiObject Win32_ComputerSystem).Domain.ToUpper() $KdcProxyPath = "HKLM:\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings\KdcProxy\$DomainName" If (-not (Test-Path $KdcProxyPath)) { New-Item -Path $KdcProxyPath -Force | Out-Null } # Get actual DCs for the domain $DCs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName New-ItemProperty -Path $KdcProxyPath -Name "KdcNames" -Type MultiString -Value $DCs -Force }