Recently had a customer be able to change passwords from Exchange webmail and for the password to sync back to their local computer without having direct access to the domain controller on a LAN or via VPN.
To trace this 365 support were able to use the below script from here
Download the file Auth.zip from https://cesdiagtools.blob.core.windows.net/windows/Auth.zip
Logs as shows :
To obtain the TGT we starting locating a DC and fail to find one standard Dclocator (expected as no VPN or connection to Domain Controller)
Now we see a call to KDCProxy, this is what is responsible for getting you authenticated without having a line of site to your DC.
Line two of this tells you the KDC proxy gateway is connecting too
This is what we see when the correct password is entered.
The question in my mind , was how was it able to get KDC proxy gateway address? Its a FQDB used by the RDP Gateway , and the below found my answer
“This is called the KDC Proxy Service (KPS), and it was introduced as a supporting service for Direct Access and Remote Desktop Gateway deployments”
KDC Proxy is installed with 2016 Server Remote Desktop Gateway role , so if you have a Terminal Server Enviroment listing on Port 443 which it needs for the Gateway you have this running!
But I have never seen this elsewhere and they have RDP Gateway roles?
This site gives a nice rundown of it all KDC Proxy for Remote Access (syfuhs.net) – There’s a little known feature in Windows called the KDC Proxy that lets clients communicate with KDC servers over an HTTPS channel instead of TCP.
By default , the Keys HttpsClientAuth and DisallowUnprotectedPasswordAuth do no exist in HKLM\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings , however this setup they did
Which enabled this Password reset without connection to Domain Controller
Its must secure to Enable this without Password Auth and Windows Hello instead as you open yourself up for a Brute Force attack ( as the Logins are not restricted and count towards lockout polices )
Trackback from your site.