Re: firewall port requirements for windows fall-back authentication
From: S. Pidgorny
Date: 10/22/03
- Next message: Keith W. McCammon: "Re: Can i use .net framework for security"
- Previous message: S. Pidgorny
: "Re: IPsec/L2TP and AES" - In reply to: enrico sabbadin: "Re: firewall port requirements for windows fall-back authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Oct 2003 21:16:21 +1000
Authentication does take place but client doesn't receive credentials from a
server - instead, they are generated using local SAM. Same on the server.
This is how it works in NT workgroups - they don't have domain controllers
at all and still provide NTLM authentication for file and print services - I
haven't tried Web but I believe it will work too.
-- Svyatoslav Pidgorny, MVP, MCSE -= F1 is the key =- "enrico sabbadin" <sabbadin@infinito.it> wrote in message news:eWVr#1ylDHA.2140@TK2MSFTNGP09.phx.gbl... > Thak for your answer, > I know that fallback works only with local accounts ... so DC are out of the > picture in this case .. right ? > Anyway, could you explain it a little bit ore ? Are you saying that when > using fallback mode , there is actually no authentication taking place (no > challenge response) ..that is, the server will accept NTLM hashes coming > with the request and will compare them against the local SAM store ? > > best regards > > > "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message > news:#tXizFwlDHA.2616@TK2MSFTNGP11.phx.gbl... > > Transmission of NTLM hashes and Kerberos tickets is inside the application > > protocol. For example, a Web server doesn't require anything but HTTP open > > b/ween a client and the server. However, both need access to a DC to > verify > > credentials. Nothing is required in the "fallback" mode, however, that one > > can only give NTLM hash and not Kerberos ticket. > > > > -- > > Svyatoslav Pidgorny, MVP, MCSE > > -= F1 is the key =- > > > > "enrico sabbadin" <sabbadin@infinito.it> wrote in message > > news:u17xqaulDHA.2676@TK2MSFTNGP11.phx.gbl... > > > Hi, > > > I've been researching through the web and I've somehow understood what > > ports > > > must be open in a firewall > > > to have NTLM and Kerberos authentication succeed. > > > I then have read some MS docs stating that "if a firewall is in-between" > > the > > > best solution is to use the fall back authentication mode .. that is > > having > > > two matching local accounts on the client and a server (say a web server > > > (Client) and an applciation server (server). > > > > > > I'm well aware of the fall-back mechanism .. still what I don't know in > > what > > > terms this approach solves the problem .. > > > that is .. what port do not need anymore to be opened when using fall > back > > > authentication ? > > > > > > thank for you help > > > > > > p.s.: I'd like to understand if IPSEC can be used to bypass these issues > > .. > > > I've read soem docs about it but some say yes, other say no .. can > someone > > > explain ? > > > again .. thanks a lot > > > > > > > > > -- > > > sabbadin@sabbasoft.com > > > MTS - COM+ - VBCOM - Enterprise Services - Security FAQ > > > .NET & COM+ books selected list > > > http://www.sabbasoft.com > > > "Moving fast is not the same as going somewhere." -Robert Anthony > > > > > > > > > > > > > > > > > >
- Next message: Keith W. McCammon: "Re: Can i use .net framework for security"
- Previous message: S. Pidgorny
: "Re: IPsec/L2TP and AES" - In reply to: enrico sabbadin: "Re: firewall port requirements for windows fall-back authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
