Ports used during Kerberos Authentication

[Guest]

Hi

I have 2 win2K-based forests
Between the 2 forests, I have a firewall allowing data from the 1st forest to go to the 2nd forest and blocking any data coming from the 2nd forest to the 1st forest EXCEPT if the data is a reply to a request established by the 1st forest

I also established a two-way trust-relationship between the 2 forests for users of the 1st forest to be able to acess data through File Services located on a DC of the 2nd forest
But when a user of the 1st forst tries to access data located on a server of the 2nd forest, here is the error message that comes up
"There are currently no logon servers available to service the logon request."

I thought that during Kerberos authentication DC's did not need to send any request to the user's machine
But apparently it must send request because otherwise it would work

1) So could someone tell me what could be that request that AD's (Ticket Granting Services) launch
2) Could someone tell me the port I have to open from the 2nd forest to the 1st one for the authentication works well
3 And would someone know what port are used to be able to display the Security Entry Label instead of the SID
ex: instead of S-1-5-454564646-500, having "MY_DOMAIN\Administrator

Thank you in advance for any help
Julien.

 

[Simon Geary]

Here is a complete list of the ports you will require.
http://support.microsoft.com/?id=832017

And here is a white paper on AD and firewalls.
http://www.microsoft.com/downloads/...46-43f0-4caf-9767-a9166368434e&displaylang=en

Hi,

I have 2 win2K-based forests.
Between the 2 forests, I have a firewall allowing data from the 1st forest

to go to the 2nd forest and blocking any data coming from the 2nd forest to
the 1st forest EXCEPT if the data is a reply to a request established by the
1st forest.

I also established a two-way trust-relationship between the 2 forests for

users of the 1st forest to be able to acess data through File Services
located on a DC of the 2nd forest.

But when a user of the 1st forst tries to access data located on a server

of the 2nd forest, here is the error message that comes up:

"There are currently no logon servers available to service the logon request."

I thought that during Kerberos authentication DC's did not need to send

any request to the user's machine!

But apparently it must send request because otherwise it would work!

1) So could someone tell me what could be that request that AD's (Ticket Granting Services) launch?
2) Could someone tell me the port I have to open from the 2nd forest to

the 1st one for the authentication works well?

3 And would someone know what port are used to be able to display the

Security Entry Label instead of the SID?

 

[Eric Chamberlain]

Trusts between W2K domains in separate forests, use NTLM not Kerberos.

Hi,

I have 2 win2K-based forests.
Between the 2 forests, I have a firewall allowing data from the 1st forest

to go to the 2nd forest and blocking any data coming from the 2nd forest to
the 1st forest EXCEPT if the data is a reply to a request established by the
1st forest.

I also established a two-way trust-relationship between the 2 forests for

users of the 1st forest to be able to acess data through File Services
located on a DC of the 2nd forest.

But when a user of the 1st forst tries to access data located on a server

of the 2nd forest, here is the error message that comes up:

"There are currently no logon servers available to service the logon request."

I thought that during Kerberos authentication DC's did not need to send

any request to the user's machine!

But apparently it must send request because otherwise it would work!

1) So could someone tell me what could be that request that AD's (Ticket Granting Services) launch?
2) Could someone tell me the port I have to open from the 2nd forest to

the 1st one for the authentication works well?

3 And would someone know what port are used to be able to display the

Security Entry Label instead of the SID?