Has anyone gotten managing and using AD credentials for “protected users” yet? (Protected Users Security Group in Windows Server | Microsoft Learn)
The protected users group in itself is a great feature of AD and drastically reduces attack surface for Privileged Accounts. It forces Kerberos Auth and disables many legacy protocols.
Hi,
From version 4.0 and above, using proxy v2 (which is on beta version), its possible to start RDP sessions with users that belong to the protected group.
It works using kerberos authentication and requires a manual configuration
vim /etc/krb5.conf
[libdefaults]
default_realm = WINRM.SEGI9.KERBEROS
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
WINRM.SEGI9.KERBEROS = {
kdc = winrm.segi9.kerberos
admin_server = winrm.segi9.kerberos
}
chmod 644 /etc/krb5.conf
orbit proxy shift v2
Great to read that this should work (in beta 
), sadly I never got the v2 proxy to work… Is there any guideline for setting it up?
Never got any further than this error after shifting to v2:
Dec 9 18:53:31 segura-lab ruler-api-gateway: Loading settings file /etc/senhasegura/proxy/api/senhasegura-gateway.conf.
Dec 9 18:53:31 segura-lab senhasegura[1873639]: LOGGER|2025-12-09T19:53:31+02:00|Coss\Api\Gateway\Plugin|3|/usr/local/senhasegura/public_html/orbit/api/index.php|SQLSTATE[42S02]: Base table or view not found: 1146 Table 'senhasegura.coss|6938621b44261||12|Proxy Gateway [segura-lab]|34f3978ea39ed9a4623c174c6b7e3a7bfb967164fc6ee30d939d62ec0a3846d4|/orbit/api/proxy/auth/login
Dec 9 18:53:31 segura-lab docker[73220]: 127.0.0.1 - 127.0.0.1 - - [09/Dec/2025:17:53:31 +0000] "POST /api/proxy/auth/login HTTP/1.1" 500 266 "-" "proxy-web-ng"
Dec 9 18:53:43 segura-lab senhasegura[1873638]: LOGGER|2025-12-09T19:53:43+02:00|Coss\Api\Gateway\Plugin|3|/usr/local/senhasegura/public_html/orbit/api/index.php|SQLSTATE[42S22]: Column not found: 1054 Unknown column 'token_uuid' in 'WHE|693862277bf6b||12|Proxy Gateway [segura-lab]|62e2c81ac8c77e8f29f0ec53ccbf3f7c2a9ac76de7383f3a45758c464260b50b|/orbit/api/proxy/session/ping
Dec 9 18:53:43 segura-lab docker[73220]: 127.0.0.1 - 127.0.0.1 - - [09/Dec/2025:17:53:43 +0000] "GET /api/proxy/session/ping?user_addr=172.16.20.50 HTTP/1.1" 500 266 "-" "proxy-web-ng"
Your logs point to a weird behavior.
Try updating to the latest 4.0 version.
Update procedure for a standalone thats already on version 4.0:
Take snapshots
orbit repository configure stable
apt update
orbit apt install orbit-cli
orbit update --force
After that:
orbit proxy shift v2
orbit proxy api-token
Then try to start sessions.
The update sadly didn’t seem to be of use. V2 proxy still fails with the same error, the logs could indicate some problems with database consistency in my opinion… While installing the update the database normalization also seemed to fail, I don’t know how common this is. Maybe theres an easy fix?
As soon as I find some time, I will try with a fresh install (for reproducibility) and update this post.
Hi,
Seems like your lab environment has database issues, you might need to redeploy your instance.
On a production instance you could have the support team take a look but if this is just your lab a new deployment must definitely fix this.
Database normalize and tables missing usually mean somtehing went really wrong and it needs analysis, which is mostly not worth it for a lab…
