kerberos

[North323]

i looked up kerberos and it uses udp port 88 but why would a kerberos call use udp 137,138,139 to the domain controller?

 

[North323]

we have an application that calls kerberos and seems to be doing that on the LAN, but when behind a firewall, we see udp 137 and udp 138 from the domain controller to the client and those are denied. once we open the fw to let those packet through, user is able to access the application. why would i see udp from the domain controller to the client when trying to use kerberos?

 

[tlcscousin]

137
UDP
netbios-ns
nbname
NETBIOS Name Service

138
UDP
netbios-dgm
nbdatagram
NETBIOS Datagram Service

139
TCP
netbios-ssn
nbsession
NETBIOS Session Service

It is possible the app is using netbios.

 

[ITPangaeaArchitect]

yea what your seeing is a subsequent verification of netbios name after dns resolution. if you look at a trace taken from the client and server, on the client you would see dns calls going out (and if the client faces the dc for dns and trace is taken from there, youd see incoming calls), then subsequent netbios calls for any ntlm negotiation that may occur.
this can be adjusted via changing the node type on the clients, however, its not necessary.
in a typical trace looking at something like this, you should see 88 UDP being called, along with 137 and 138, which are netbios session calls, and in addition, SMB and 135 tcp (RPC) and a port between 1024 and 5000 will be seen (RPC response).....

To really get to the root of your problem though, the app needs to be looked at. In other words, when the application makes a call to the server, is it via netbios name or FQDN?

BTW, 137 and 138 are ports that are REQUIRED for proper domain operation (in a AD domain). See kb179442 for all required ports....

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)