none
Kerberos - Port 88

    Question

  • For Kerberos to function in constrained delegation within an extranet scenario, is it a requirement to have port 88 open on the firewall?  Does the client (eg. browser) need to communicate through this port to the Domain Controller's Key Distribution Center (KDC)? Or is this communication done between just the WFE and AD KDC?

     

    There is conflicting MS documentation on this topic.

    The Extranet Hardening Planning Tool mentions that only TCP ports 80 or 443 is required.

    http://go.microsoft.com/fwlink/?LinkId=85531&clcid=0x409

     

    However, the SP2010 Kerberos Guide mentions:

    "clients have connectivity to the KDC (Active Directory domain controller in Windows environments) over TCP/UDP port 88 (Kerberos), and TCP/UDP port 464 (Kerberos Change Password – Windows)"

    http://technet.microsoft.com/en-us/library/ff829837.aspx

     

    Seems to be indicative that Port 88 needs to be open on the firewall?

     

    Can someone clarify?

    Thanks.

    Fred


    Frederick Lin, http://fredericklin.com
    • Edited by Frederick Lin Wednesday, December 08, 2010 7:11 PM formatting
    Wednesday, December 08, 2010 7:10 PM

Answers

  • Hi Fred,

     

    In my opinion, it may depends on the following two options:

     

    ·         Use Kerberos only

    ·         Use any authentication protocol

     

    If you choose the first one, you may need to have port 88 open on the firewall. If you choose the second one, you may not need to do that.

     

    For more information about Protocol Transition with Constrained Delegation Technical Supplement, please refer to the following article:

     

    http://msdn.microsoft.com/en-us/library/ff650469.aspx

     

    Hope this helps.

     

    Rock Wang


    Regards, Rock Wang Microsoft Online Community Support
    Thursday, December 09, 2010 10:08 AM