kdcproxy

This is a Go based KDC Proxy designed for use against Active Directory.

Usage

Command Line

go install github.com/andrewheberle/kdcproxy/cmd/kdcproxy@v1.2.7
./kdcproxy --listen :8080

Docker

docker run -p 8080:8080 ghcr.io/andrewheberle/kdcproxy:v1.2.7

To run via HTTPS:

docker run -p 8443:8080 \
    -e KDC_PROXY_CERT=/ssl/server.crt \
    -e KDC_PROXY_KEY=/ssl/server.key \
    -v /path/to/certificates:/ssl:ro \
    ghcr.io/andrewheberle/kdcproxy:v1.2.1

Configuration

The application supports the following options:

Command Line Option	Environment Variable	Default	Usage
--listen	KDC_PROXY_LISTEN	127.0.0.1:80801	Service listen address
--cert	KDC_PROXY_CERT		TLS Certificate (optional)
--key	KDC_PROXY_KEY		TLS KEY (optional)
--krb5conf	KDC_PROXY_KRB5CONF		Path to krb5.conf (optional)

Krb5.conf

It is optional to provide a MIT krb5.conf configuration file. Without this, the service defaults to using DNS to look up the KDC's for the realm to send requests.

In most cases, assuming DNS resolution is working and the required DNS SRV records are in place, this should not be required.

Specifications

This service follows the MS-KKDCP specification that is published here:

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/5bcebb8d-b747-4ee5-9453-428aec1c5c38

Credits

This was initially based on the KDC Proxy implementation here:

https://github.com/bolkedebruin/rdpgw

In addition a lot of the logic for the service to make things work came from:

https://github.com/latchset/kdcproxy

Footnotes

1. The default for the container is ":8080" ↩