Download the file Auth.zip from https:\/\/cesdiagtools.blob.core.windows.net\/windows\/Auth.zip<\/a><\/p>\n\n\n\n Logs as shows : <\/p>\n\n\n\n To obtain the TGT we starting locating a DC and fail to find one standard Dclocator<\/a> (expected as no VPN or connection to Domain Controller)<\/p>\n\n\n\n Now we see a call to KDCProxy,<\/a> this is what is responsible for getting you authenticated without having a line of site to your DC.<\/p>\n\n\n\n Line two of this tells you the KDC proxy gateway is connecting too<\/p>\n\n\n\n This is what we see when the correct password is entered.<\/p>\n\n\n\n The question in my mind , was how was it able to get KDC proxy gateway address? Its a FQDB used by the RDP Gateway , and the below found my answer<\/p>\n\n\n\n “This is called the KDC Proxy Service (KPS), and it was introduced as a supporting service for Direct Access and Remote Desktop Gateway deployments”<\/p>\n\n\n\n KDC Proxy is installed with 2016 Server Remote Desktop Gateway role , so if you have a Terminal Server Enviroment listing on Port 443 which it needs for the Gateway you have this running!<\/p>\n\n\n\n But I have never seen this elsewhere and they have RDP Gateway roles?<\/p>\n\n\n\n This site gives a nice rundown of it all KDC Proxy for Remote Access (syfuhs.net)<\/a> – There’s a little known feature in Windows called the KDC Proxy that lets clients communicate with KDC servers over an HTTPS channel instead of TCP.<\/p>\n\n\n\n By default , the Keys\u00a0HttpsClientAuth<\/strong>\u00a0and\u00a0DisallowUnprotectedPasswordAuth\u00a0<\/strong>do no exist in\u00a0 HKLM\\SYSTEM\\CurrentControlSet\\Services\\KPSSVC\\Settings , however this setup they did\u00a0<\/p>\n\n\n\n Which enabled this Password reset without connection to Domain Controller ( When\u00a0 It must be secure to Enable this without Password Auth and Windows Hello instead as you open yourself up for a Brute Force attack ( as the Logins are not restricted and count towards lockout polices )\u00a0<\/p>\n\n\n\n <\/p>\n\n\n\n You need to make sure the user authenticating is using the primary domain name not an Alternate UPN Recently had a customer be able to change passwords from Exchange webmail and for the password to sync back to their local computer without having direct access […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[3590,1677,3591,3585,3812,3589,3586,721,3587,3588,1398,1351],"class_list":["post-5307","post","type-post","status-publish","format-standard","hentry","category-research","tag-disallowunprotectedpasswordauth","tag-domain-controller","tag-httpsclientauth","tag-kdc-proxy","tag-kerberos","tag-kps","tag-line-of-sight","tag-password","tag-password-change","tag-password-sync","tag-sync","tag-vpn"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t![\"\"](\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/09\/img_614e8f1f03749.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/09\/img_614e8e0ceaf7a.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/09\/img_614e8e6f18904.png\")
<\/figure>\n\n\n\nHttpsClientAuth : Dword 0 ( Disable client authentication ) \nDisallowUnprotectedPasswordAuth : Dword 0 ( Enable password authentication ) <\/code><\/pre>\n\n\n\nDisallowUnprotectedPasswordAuth<\/code>\u00a0is set to\u00a00<\/code>\u00a0the KDC proxy will allow the user to retrieve a\u00a0krbtgt<\/code>\u00a0using username and password. ) <\/p>\n\n\n\n
Failed to locate a domain controller in domain xxxxxxx.com.au with locator flags 0x601: error code 0x54B.<\/p>\n\n\n\n![\"\"](\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/image-3.png\")
<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"