Kerberos - Port 88


  • For Kerberos to function in constrained delegation within an extranet scenario, is it a requirement to have port 88 open on the firewall?  Does the client (eg. browser) need to communicate through this port to the Domain Controller's Key Distribution Center (KDC)? Or is this communication done between just the WFE and AD KDC?


    There is conflicting MS documentation on this topic.

    The Extranet Hardening Planning Tool mentions that only TCP ports 80 or 443 is required.


    However, the SP2010 Kerberos Guide mentions:

    "clients have connectivity to the KDC (Active Directory domain controller in Windows environments) over TCP/UDP port 88 (Kerberos), and TCP/UDP port 464 (Kerberos Change Password – Windows)"


    Seems to be indicative that Port 88 needs to be open on the firewall?


    Can someone clarify?



    Frederick Lin,
    • Edited by Frederick Lin Wednesday, December 08, 2010 7:11 PM formatting
    Wednesday, December 08, 2010 7:10 PM


  • Hi Fred,


    In my opinion, it may depends on the following two options:


    ·         Use Kerberos only

    ·         Use any authentication protocol


    If you choose the first one, you may need to have port 88 open on the firewall. If you choose the second one, you may not need to do that.


    For more information about Protocol Transition with Constrained Delegation Technical Supplement, please refer to the following article:



    Hope this helps.


    Rock Wang

    Regards, Rock Wang Microsoft Online Community Support
    Thursday, December 09, 2010 10:08 AM