I'm considering setting up a KDC Proxy that won't be publicly accessible, but can still be reached via Entra Private Access. My plan is to use this setup to remove the GSA Enterprise Application for the Domain Controllers. Is this a solid security approach or just a waste of time?
3 Answers
I really like your line of thinking here! It's great to explore what could be a creative setup.
To be honest, this seems like it could turn into a complicated mess. Have you thought about what happens if you leave the company? Who will understand how everything is configured? What benefit do you truly gain from this change?
I get your point! I thought it might offer similar benefits as using a reverse proxy for a webserver, but you're right—those aren't really the same.
I've never set up a KDC Proxy myself, but I wonder about the enhancements needed. You should check what Extended Key Usages (EKUs) the KDC Proxy requires. Let's Encrypt’s Certificate Authority typically issues certificates only for Server and Client Authentication. If your proxy needs different EKUs, you might be out of luck.
Actually, you don't need anything special. You can use an Entra App Proxy in passthrough mode, just the usual HTTPS setup.
Thanks! I’m just brainstorming ideas while waiting for something to go wrong.