RDP-over-SSH will break Kerberos authentication for two reasons: 1) you'll point the RDP client to localhost and a random port and 2) you won't get a KDC line-of-sight. The irony is Microsoft has demoed this with SSH over Azure Arc, which can only result in an NTLM downgrade.
IronRDP is designed to work with Devolutions Gateway (https://github.com/Devolutions/devolutions-gateway) for just-in-time RDP connections made from the web or through the desktop client. Devolutions Gateway also supports just-in-time KDC proxying alongside the main RDP connection, making Kerberos possible.
You can install the free standalone web access package of Devolutions Gateway to try it out, it will give you a simple web interface where you can enter the hostname, username and password.
But if you really want the simplest solution, it's with the rest of the Devolutions stack with Remote Desktop Manager and Devolutions Server. In the end, you'll be able to make RDP connections from RDM or through the web with just a double-click, and it'll automatically generate short-lived tokens and make RDP + Kerberos work seamlessly: https://devolutions.net/gateway/
Kerberos has a protocol for when you don't have a line of sight to the KDC: IAKERB. IIRC MSFT is very interested in it in order to kill off NTLM finally.
IAKerb still hasn't shipped - it's a preview feature. Meanwhile, we've been doing KDC proxying successfully in Devolutions Gateway for several years. Sometimes you can wait forever for a supposedly better solution, or you can just make it work in the most obvious way. In the end, all you need is to forward KDC messages, right? It's annoying that it's out-of-band, but the KDC proxying protocol is just an HTTP POST that takes a request message, and sends the response message back.
RD Gateway has nothing to do with tunneling, it's just a reverse proxy for RDP connections. Funny note: as you've mentioned in other comment, my guess is that RDG was also licensed from Citrix but at the later point.
