Re: firewall port requirements for windows fall-back authentication

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 10/20/03


Date: Mon, 20 Oct 2003 21:56:04 +1000

Transmission of NTLM hashes and Kerberos tickets is inside the application
protocol. For example, a Web server doesn't require anything but HTTP open
b/ween a client and the server. However, both need access to a DC to verify
credentials. Nothing is required in the "fallback" mode, however, that one
can only give NTLM hash and not Kerberos ticket.

-- 
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"enrico sabbadin" <sabbadin@infinito.it> wrote in message
news:u17xqaulDHA.2676@TK2MSFTNGP11.phx.gbl...
> Hi,
> I've been researching through the web and I've somehow understood what
ports
> must be open in a firewall
> to have NTLM and Kerberos authentication succeed.
> I then have read some MS docs stating that "if a firewall is in-between"
the
> best solution is to use the fall back authentication mode .. that is
having
> two matching local accounts on the client and a server (say a web server
> (Client) and an applciation server (server).
>
> I'm well aware of the fall-back mechanism .. still what I don't know in
what
> terms this approach solves the problem ..
> that is .. what port do not need anymore to be opened when using fall back
> authentication ?
>
> thank for you help
>
> p.s.: I'd like to understand if IPSEC can be used to bypass these issues
..
> I've read soem docs about it but some say yes, other say no .. can someone
> explain ?
> again .. thanks a lot
>
>
> -- 
> sabbadin@sabbasoft.com
> MTS - COM+ - VBCOM - Enterprise Services - Security FAQ
> .NET & COM+ books selected list
> http://www.sabbasoft.com
> "Moving fast is not the same as going somewhere." -Robert Anthony
>
>
>
>