Re: firewall port requirements for windows fall-back authentication

From: enrico sabbadin (sabbadin_at_infinito.it)
Date: 10/20/03


Date: Mon, 20 Oct 2003 19:13:32 +0200

Thak for your answer,
I know that fallback works only with local accounts ... so DC are out of the
picture in this case .. right ?
Anyway, could you explain it a little bit ore ? Are you saying that when
using fallback mode , there is actually no authentication taking place (no
challenge response) ..that is, the server will accept NTLM hashes coming
with the request and will compare them against the local SAM store ?

best regards

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:#tXizFwlDHA.2616@TK2MSFTNGP11.phx.gbl...
> Transmission of NTLM hashes and Kerberos tickets is inside the application
> protocol. For example, a Web server doesn't require anything but HTTP open
> b/ween a client and the server. However, both need access to a DC to
verify
> credentials. Nothing is required in the "fallback" mode, however, that one
> can only give NTLM hash and not Kerberos ticket.
>
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
>
> "enrico sabbadin" <sabbadin@infinito.it> wrote in message
> news:u17xqaulDHA.2676@TK2MSFTNGP11.phx.gbl...
> > Hi,
> > I've been researching through the web and I've somehow understood what
> ports
> > must be open in a firewall
> > to have NTLM and Kerberos authentication succeed.
> > I then have read some MS docs stating that "if a firewall is in-between"
> the
> > best solution is to use the fall back authentication mode .. that is
> having
> > two matching local accounts on the client and a server (say a web server
> > (Client) and an applciation server (server).
> >
> > I'm well aware of the fall-back mechanism .. still what I don't know in
> what
> > terms this approach solves the problem ..
> > that is .. what port do not need anymore to be opened when using fall
back
> > authentication ?
> >
> > thank for you help
> >
> > p.s.: I'd like to understand if IPSEC can be used to bypass these issues
> ..
> > I've read soem docs about it but some say yes, other say no .. can
someone
> > explain ?
> > again .. thanks a lot
> >
> >
> > --
> > sabbadin@sabbasoft.com
> > MTS - COM+ - VBCOM - Enterprise Services - Security FAQ
> > .NET & COM+ books selected list
> > http://www.sabbasoft.com
> > "Moving fast is not the same as going somewhere." -Robert Anthony
> >
> >
> >
> >
>
>