Re: firewall port requirements for windows fall-back authentication

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 10/20/03


Date: Mon, 20 Oct 2003 21:56:04 +1000

Transmission of NTLM hashes and Kerberos tickets is inside the application
protocol. For example, a Web server doesn't require anything but HTTP open
b/ween a client and the server. However, both need access to a DC to verify
credentials. Nothing is required in the "fallback" mode, however, that one
can only give NTLM hash and not Kerberos ticket.

-- 
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"enrico sabbadin" <sabbadin@infinito.it> wrote in message
news:u17xqaulDHA.2676@TK2MSFTNGP11.phx.gbl...
> Hi,
> I've been researching through the web and I've somehow understood what
ports
> must be open in a firewall
> to have NTLM and Kerberos authentication succeed.
> I then have read some MS docs stating that "if a firewall is in-between"
the
> best solution is to use the fall back authentication mode .. that is
having
> two matching local accounts on the client and a server (say a web server
> (Client) and an applciation server (server).
>
> I'm well aware of the fall-back mechanism .. still what I don't know in
what
> terms this approach solves the problem ..
> that is .. what port do not need anymore to be opened when using fall back
> authentication ?
>
> thank for you help
>
> p.s.: I'd like to understand if IPSEC can be used to bypass these issues
..
> I've read soem docs about it but some say yes, other say no .. can someone
> explain ?
> again .. thanks a lot
>
>
> -- 
> sabbadin@sabbasoft.com
> MTS - COM+ - VBCOM - Enterprise Services - Security FAQ
> .NET & COM+ books selected list
> http://www.sabbasoft.com
> "Moving fast is not the same as going somewhere." -Robert Anthony
>
>
>
>


Relevant Pages

  • Re: Help with first VB application - Data Entry form
    ... I assumed a desktop / winform client application ... time' stamp from the database machine - control machine ... ... problem solved - web server is control system. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Help with first VB application - Data Entry form
    ... I assumed a desktop / winform client application ... time' stamp from the database machine - control machine ... ... problem solved - web server is control system. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Help with first VB application - Data Entry form
    ... JavaScript, for example) and thus, will get the time from the web server, ... function on the client. ... the database is not the place to put a time stamp of this ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Re: Can we use DAPs to access remote MDB files?
    ... the server and the user will not know it's happening. ... web server (from the client) and others seem to be saying it's NOT ... multi-user database pretty well straight out of the box. ...
    (comp.databases.ms-access)
  • Re: Help with first VB application - Data Entry form
    ... stamp from the database machine - control machine ... ... unnecessary data to the client ... ... and when building a database independent UI / Client - Server application, ... JavaScript, for example) and thus, will get the time from the web server, ...
    (microsoft.public.dotnet.languages.vb)