IPA AD Trust - Configure IPA server as a KDC Proxy for AD kerberos communication

Solution Verified - Updated 21 Oct 2025

Environment

Red Hat Enterprise Linux (RHEL) 7.x
Red Hat Enterprise Linux (RHEL) 8.x
Red Hat Identity Management (IdM) 4.x

Issue

Network restrictions or firewall rules prevent IPA clients from communicating with AD for kerberos port 88
Need to configure IPA clients to proxy kerberos communication through the IPA server for AD trust kerberos operations

Resolution

On all IPA clients, the Active Directory realm must be added as a /etc/krb5.conf [realms] section. The kdc and kpasswd_server definitions below should point to the appropriate IPA server FQDN:
```
  AD.DOMAIN = {
      kdc = https://ipa-server.example.com/KdcProxy
      kpasswd_server = https://ipa-server.example.com/KdcProxy
  }
```
Also on the IPA client, disable the SSSD kdcinfo file creation which could override the /etc/krb5.conf specifications
```
  [domain/example.com]
  krb5_use_kdcinfo = False
```
On IPA servers, change use_dns = true in the kdcproxy.conf file below to utilize DNS SRV records to find AD servers to communicate with:
```
  # cat /etc/ipa/kdcproxy/kdcproxy.conf
  [global]
  configs = mit
  use_dns = true
```
Alternatively if you do not wish to use DNS SRV records, explicit AD servers can be added to /etc/krb5.conf [realms] section:
```
  AD.DOMAIN = {
      kdc = ad-server.ad.domain
      kpasswd_server = ad-server.ad.domain
  }
```
In case TCP should be used as the transport protocol between the kdcproxy and the AD KDC servers, please add the following configuration into /etc/ipa/kdcproxy/kdcproxy.conf on the IPA servers:
```
  # cat /etc/ipa/kdcproxy/kdcproxy.conf
  [AD.EXAMPLE.COM] 
  kerberos = kerberos+tcp://server1.ad.example.com:88 
  kpasswd = kpasswd+tcp://server2.ad.example.com:464
```
The realm configuration parameters may list multiple servers separated by a space.
Restart IPA services
```
  # ipactl restart
```

On the IPA client run the following commands to test

  # rm /var/lib/sss/pubconf/kdcinfo*
  # KRB5_TRACE=/dev/stdout kinit ad.user@AD.DOMAIN

SBR

Identity Management

Product(s)

Red Hat Identity Management

Components

Category

Troubleshoot

Tags

active_directory

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.