Event banner
Event details
While Remote Desktop supports Kerberos today, it will fall back to NTLM in IP-based scenarios or when the target is not joined to a domain. Will the RDP client and server be adopting IAKerb to replace NTLM?
To expand on that, it would be very beneficial to modern authentication scenarios to see the RDP gateway be able to redirect clients to Azure AD or ADFS for rich authentication at the gateway level then permit the client to authenticate to the target with IAKerb.
For the RDP client and server, excluding the RD Gateway scenario, my understanding is that with IAKerb and TryIPSPN, Kerberos will work in cases where there is no KDC line-of-sight, using either the IP address or FQDN, where it would have normally failed without the KDC line-of-sight, or when using the IP address without manually enabling the TryIPSPN solution that exists in previous versions of Windows, but isn't enabled by default.
For the RD Gateway scenario, I am also looking for more information. We've got customers that start using cloud Entra Joined Windows 11 to connect through hybrid-joined RD Gateway servers for the same domain, which is getting really, really weird in terms of authentication. While the Windows client can do outbound Kerberos, the Entra ID joined part of the RD Gateway doesn't do inbound Kerberos, so what we're seeing is an NTLM downgrade. It really isn't clear how this is all supposed to work and how this is going to keep working without NTLM in the future.