Announcement

Collapse
No announcement yet.

kerberos pains

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • kerberos pains

    we have an application that calls kerberos and seems to be doing that on the LAN, but when behind a firewall, we see udp 137 and udp 138 from the domain controller to the client and those are denied. once we open the fw to let those packet through, user is able to access the application. why would i see udp from the domain controller to the client when trying to use kerberos?

  • #2
    Re: kerberos pains

    This might help:

    From http://www.auditmypc.com/port/udp-port-138.asp

    UDP 137 is used for browsing, directory replication, logon sequence, netlogon, pass-thru validation, printing support, trusts, and WinNT Secure Channel. Security Concerns: Key target in auth & DOS attacks. Block at all perimeters; NIC-filter on public-exposed MS hosts
    http://support.microsoft.com/kb/179442
    138/UDP 138/UDP NetBIOS Netlogon and Browsing
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: kerberos pains

      Kerberos is based on name resolution and for that you'll see ports being used for DNS, it could also failover to NTLM and use NetBIOS.

      Comment


      • #4
        Re: kerberos pains

        It all depends on what the application is trying to do, what's the application name and is there any technical info made publicly available (doubt it though, most software houses tend to keep these things close to their chest) otherwise a call to the application developer might give you a better idea.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: kerberos pains

          this is a home grown application and the devloper does not know. if kerberos fails, the call should fail, which it does, just seems to be dependent on netbios and i have not read any info about kerberos and netbios....

          Comment


          • #6
            Re: kerberos pains

            Doesn't the developer know or doesn't want ot know?
            As far as I know the Kerberos communicates via TCP/UDP 88. Now, I am not a developer myself but I am suspecting maybe the application is using another service as well such as the Netlogon service for pass through authentication.
            Netlogon service then uses the NetBIOS ports and protocols you mention.

            http://support.microsoft.com/default...b;en-us;832017

            Cheers
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: kerberos pains

              im not sure what the developer is up to... i think you have confirmed my theory...thanks

              Comment

              Working...
              X