I would like to share some experiences that I need to proof on Kerberos Authentication Ports. I know that I am a bit odd and legacy to bring this Windows Server 2003 platform.
The reason I need to legacy server because some ITs did not know the changes on authentication part especially between Windows Server 2003 & XP, and Windows 7 & Windows Server 2008 & 2008 R2 above.
Even we give them the URL reference http://support.microsoft.com/kb/244474 and http://technet.microsoft.com/nl-nl/library/dd772723(v=ws.10).aspx , they still insist Windows 7 & 2008 use UDP 88 or vice versa.
Then, I show this network trace using network monitor.
in Windows Server 2003 authentication to Active Directory:
Figure 1 Windows Server 2003.
in Windows 7 authentication to Active Directory:
You see the difference now.. Figure 1 (Windows 2003) shows UDP flags whereas Figure 2 (Windows 7) shows TCP flags.
Also, you see the Dynamic port in Windows 2003 use the range 1025-5000, whereas windows 7 use 49152-65535 range…
if you deep more in network monitor, you see the figure “KRB_ERR_RESPONSE_TOO_BIG”, then it will initially cannot handle the packet that large., then will go the TCP port 88.
please see the reference below: