Fix Kerberos Machine TGT Fetching on Startup
Is RDP NLA between domain-joined devices not working outside of the corporate network despite having configured a KDC proxy on both? This is a known issue where lsass.exe fails to fetch the Kerberos machine TGT at boot time, but it can be "fixed" with a scheduled task!
Create a scheduled task with the following configuration:
Set user account to "SYSTEM"
Create a simple trigger at system startup
Create an action to run "klist.exe get krbtgt"
Last but not least, set a condition to start only if a network connection is available
To be 100% sure that it works, enforce RDP NLA on the server, and then reboot (be ready to attach a physical keyboard + mouse + screen to undo this change in case RDP fails!). You can then try connecting from your client machine with RDP NLA, using the machine FQDN, not the IP!
If you attempt connecting with an IP address or a hostname other than the machine FQDN, or if your client machine is not configured with the KDC proxy properly, you will get "A certification authority could not be contacted for authentication". Edit the hosts file locally can do the trick if you don't feel like adding a DNS record:
Issues resulting from a failure to fetch Kerberos machine TGT at startup time go much beyond RDP NLA. If you see errors in the Windows event viewer that indicate a failure to fetch the Kerberos machine TGT on startup, just follow the same steps.
this blog post is based on this twitter thread