Kerberos Ports

Hi,

I would like to share some experiences that I need to proof on Kerberos Authentication Ports. I know that I am a bit odd and legacy to bring this Windows Server 2003 platform.

The reason I need to legacy server because some ITs did not know the changes on authentication part especially between Windows Server 2003 & XP, and Windows 7 & Windows Server 2008 & 2008 R2 above.

Even we give them the URL reference http://support.microsoft.com/kb/244474 and http://technet.microsoft.com/nl-nl/library/dd772723(v=ws.10).aspx , they still insist Windows 7 & 2008 use UDP 88 or vice versa.

Then, I show this network trace using network monitor.

in Windows Server 2003 authentication to Active Directory:

2003 kerberos authentication

Figure 1 Windows Server 2003.

in Windows 7 authentication to Active Directory:

windows 7 authentication

Figure 2

You see the difference now.. Figure 1 (Windows 2003) shows UDP flags whereas Figure 2 (Windows 7) shows TCP flags.

Also, you see the Dynamic port in Windows 2003 use the range 1025-5000, whereas windows 7 use 49152-65535 range…

if you deep more in network monitor, you see the figure “KRB_ERR_RESPONSE_TOO_BIG”, then it will initially cannot handle the packet that large., then will go the TCP port 88.

please see the reference below:

http://technet.microsoft.com/en-us/library/cc779511(v=ws.10).aspx

http://support.microsoft.com/kb/244474