> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/gateway/knowledge-base/how-to-articles/use-the-devolutions-gateway-kdc-proxy.md). # Use the Devolutions Gateway KDC proxy Remote connection to systems using Kerberos tokens is a challenge without direct line of sight. A [Kerberos KDC (Key Distribution Controller) proxy](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/d688ea3a-04b0-45ea-8226-82a74cb6289e) offers a method for a client to communicate with an intermediate server, Devolutions Gateway in this example, that proxies the token request to another KDC, which lives on the domain controller. As Devolutions Gateway is a secure just-in-time lightweight VPN replacement, it is a great option to act as a KDC proxy for remote RDP connections. Devolutions Gateway offers two options: [short-lived](https://docs.devolutions.net/gateway/kb/how-to-articles/use-nla-rdp-connection/#short-lived-tokens) and [long-lived tokens](https://docs.devolutions.net/gateway/kb/how-to-articles/use-nla-rdp-connection/#long-lived-tokens). ### Enable API hooking for RDP [Microsoft RDP API hooking should be enabled](https://docs.devolutions.net/rdm/kb/knowledge-base/microsoft-rdp-api-hooking/?tab=windows) in Remote Desktop Manager (enabled by default) for Devolutions Gateway connections. This allows continued use when an NTLM downgrade occurs. ![](https://cdnweb.devolutions.net/docs/RDMW4343_2025_2.png) ### Configure KDC proxy with short-lived tokens When using a KDC proxy, the recommended default is short-lived tokens dynamically injected by the Devolutions Gateway. These tokens are used in RDP via NLA (Network Layer Authentication) and by the Devolutions web-based sessions, such as WinRM, LDAP, and LAPS. Typical Kerberos tokens are limited to 10 hours by default. 1. In Devolutions Server, head to ***Administration*** – ***Modules*** – ***Devolutions Gateway***. Then, click the ***Edit*** button (pen-shaped icon) on the desired Devolutions Gateway instance. ![](https://cdnweb.devolutions.net/docs/DVLS4207_2025_2.png) 2. In the ***KDC proxy*** section, click the ***Add*** button (cross-shaped icon). Multiple KDC servers can be added. ![](https://cdnweb.devolutions.net/docs/DVLS4208_2025_2.png)

The connection is matched based on the suffix, e.g., with two server realms named, respectively, ad.it-help.ninja and ad.contoso.com, machine.ad.it-help.ninja will automatically use the former suffix, while machine.ad.contoso.com will use the latter.

3. Fill out the ***KDC server URL*** and ***Kerberos realm*** fields. Check ***Set as default*** to make all connections use the KDC server URL. Otherwise, only matched realms will be used. Click on ***Save***. ![](https://cdnweb.devolutions.net/docs/DVLS4209_2025_2.png) 4. Back in the Devolutions Gateway edit window, go to the ***Advanced*** section and make sure that the ***Force using IP address for RDP connections*** option is unchecked. Click ***Save*** to complete the configuration. ![](https://cdnweb.devolutions.net/docs/DVLS4210_2025_2.png) ### Configure KDC proxy with long-lived tokens Specific tokens can be created to live for 1, 3, and 6 months or a full year. Typically, these long-lived tokens would only be created to then be installed system-wide and used for edge cases where the Devolutions Gateway cannot dynamically inject a short-lived token. 1. In Devolutions Server, head to ***Administration*** – ***Modules*** – ***Devolutions Gateway***, and click the ***More*** button (vertical ellipsis-shaped icon). Select ***KDC proxy***. ![](https://cdnweb.devolutions.net/docs/DVLS4211_2025_2.png) 2. Click the ***Add*** button (cross-shaped icon). ![](https://cdnweb.devolutions.net/docs/DVLS4212_2025_2.png) 3. Fill out the ***KDC server URL*** and ***Kerberos realm*** fields, and determine how long the token will live. Click on ***Add***. ![](https://cdnweb.devolutions.net/docs/DVLS4213_2025_2.png) 4. Once added, download either a PowerShell script or registry file to add the token to the target machine’s registry. Both the registry file and PowerShell file do the same thing, but the PowerShell file also allows running with the `-Uninstall` parameter to uninstall, if needed. ![](https://cdnweb.devolutions.net/docs/DVLS4214_2025_2.png) #### Registry entries for KDC proxy Both scripts configure several registry keys and values: * `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos` * `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters` * `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\KdcProxy\ProxyServers` Within here, the token that was generated will be put with the keys of: * `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\KdcProxyServer_Enabled` = `1` * `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\KdcProxy\ProxyServers\{realm name}` = Token Value To remove the KDC configuration from the registry, carefully modify the Windows ***Registry Editor*** or launch the previously used PowerShell script using the `-Uninstall` parameter. ### Active Directory Protected Users Group Adding users to the [Protected Users group in Active Directory](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group) disables NTLM, often breaking RDP for remote sessions. Devolutions Gateway fixes this by acting as a KDC proxy, enabling Kerberos authentication even without direct domain controller access. In Remote Desktop Manager Windows, [RDP API hooking must be enabled](https://docs.devolutions.net/gateway/kb/how-to-articles/use-nla-rdp-connection/#api-hooking) to support short-lived Kerberos tokens and restore RDP functionality securely. ### See also * [Microsoft RDP API hooking](https://docs.devolutions.net/rdm/kb/knowledge-base/microsoft-rdp-api-hooking/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/gateway/knowledge-base/how-to-articles/use-the-devolutions-gateway-kdc-proxy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.