$kdcCert = "schweigerstechblog.de"      ### SET ROOT DOMAIN
$kdcFQDN = "kdc.schweigerstechblog.de"  ### CHANGE TO YOUR PUBLIC DOMAIN
$kdcPort = 443                          ### IT'S NOT RECOMMENDED BUT YOU CAN CHANGE THE PORT

Install-WindowsFeature -Name Web-Scripting-Tools, Web-Mgmt-Console
Import-Module -Name WebAdministration
 
$setACL = 'netsh http add urlacl url=https://+:{0}/KdcProxy user="NT AUTHORITY\Network Service"' -f $kdcPort
cmd /c  $setACL
 
$kdcCertObject = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object -FilterScript { $_.Subject -like "*$($kdcCert)*" }
$randomGuid = [Guid]::NewGuid().ToString("B")
 
$setCert = 'netsh http add sslcert hostnameport={0}:{1} certhash={2} appid={3} certstorename=MY' -f $kdcFQDN, $kdcPort, $kdcCertObject.Thumbprint, $randomGuid
cmd /c $setCert
 
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings -Name HttpsClientAuth -Type Dword -Value 0x0 -Force
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings -Name DisallowUnprotectedPasswordAuth -Type Dword -Value 0x0 -Force
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings -Name HttpsUrlGroup -Type MultiString -Value "+:$kdcPort" -Force

New-NetFirewallRule -DisplayName "Allow KDCProxy TCP $kdcPort" -Direction Inbound -Protocol TCP -LocalPort $kdcPort

Set-Service -Name KPSSVC -StartupType Automatic
Start-Service -Name KPSSVC