For Kerberos to function in constrained delegation within an extranet scenario, is it a requirement to have port 88 open on the firewall? Does the client (eg. browser) need to communicate through this port to the Domain Controller's Key Distribution
Center (KDC)? Or is this communication done between just the WFE and AD KDC?
There is conflicting MS documentation on this topic.
The Extranet Hardening Planning Tool mentions that only TCP ports 80 or 443 is required.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.