Re: firewall port requirements for windows fall-back authentication

From: S. Pidgorny (
Date: 10/20/03

Date: Mon, 20 Oct 2003 21:56:04 +1000

Transmission of NTLM hashes and Kerberos tickets is inside the application
protocol. For example, a Web server doesn't require anything but HTTP open
b/ween a client and the server. However, both need access to a DC to verify
credentials. Nothing is required in the "fallback" mode, however, that one
can only give NTLM hash and not Kerberos ticket.

Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"enrico sabbadin" <> wrote in message
> Hi,
> I've been researching through the web and I've somehow understood what
> must be open in a firewall
> to have NTLM and Kerberos authentication succeed.
> I then have read some MS docs stating that "if a firewall is in-between"
> best solution is to use the fall back authentication mode .. that is
> two matching local accounts on the client and a server (say a web server
> (Client) and an applciation server (server).
> I'm well aware of the fall-back mechanism .. still what I don't know in
> terms this approach solves the problem ..
> that is .. what port do not need anymore to be opened when using fall back
> authentication ?
> thank for you help
> p.s.: I'd like to understand if IPSEC can be used to bypass these issues
> I've read soem docs about it but some say yes, other say no .. can someone
> explain ?
> again .. thanks a lot
> -- 
> MTS - COM+ - VBCOM - Enterprise Services - Security FAQ
> .NET & COM+ books selected list
> "Moving fast is not the same as going somewhere." -Robert Anthony