Windows - Kerberos SSO from outside the domain

windows active-directory kerberos mitkerberos

I recently got KERBEROS working from a VPN-connected workstation that's not joined to the domain (an AWS-managed Server 2008R2 Active Directory). The key was adding the SRV and corresponding A records to public DNS so that the worksation could resolve _kerberos._tcp.dc._msdcs.mydomain.mydomain.com to the DC's local VPC address on port 88 (note mydomain twice is not a mistake).

Kerberos clients get tickets using the domain credentials stored in the Windows Credentials Manager. Adding the realm via ksetup wasn't necessary.

Related

Where does O365 track end user clicks on SafeLinks?
Remotely monitoring ISC DHCP Server with Nagios
Finding the source of a (memory read) hardware error
VLAN - Network Redundancy With Same 2nd Switch?
How do I get the power consumption of a Supermicro server on the CLI?
Server 2019 custom PowerShell script is getting queued (Code 325)
Set up iis7.5 to deny connections outside of LAN for certain folder
Google Cloud not routing out over additional NICs
IPv6 network for WireGuard VPN
Azure: How to add CosmosDb to VNET properly
Postfix "loops back to myself" only when trying to send to fallback relay
HTTP CONNECT requests in Apache web server log