Which network ports do the Authentication Services Client use?
Which network ports do the Authentication Services Unix/Linux/MacOSX clients use?
What ports need to be opened in a DMZ or when using a firewall?
As Authentication Services uses Active Directory for authentication and identity lookups, the networking infrastructure must allow the client to communicate with Active Directory. When designing firewalls and other network infrastructure, ensure that the following ports between client and Active Directory Domain Controllers are open:
Unless specfic Domain Controllers are specified during the join, Authentication Services will also need to communicate to the Forest root servers using the following ports:-
LDAP traffic generated via vas_attrs_find (over 389) is encrypted by Kerberos
NOTE: All these ports are OUTGOING from Authentication Services Clients -> Active Directory. Authentication services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.
53: If Unix hosts should use DNS to automatically detect the available Domain Controllers, then the ports for using DNS must be open as well. The port used for DNS traffic is usually port 53. The DNS servers used by the Unix hosts must also have the Active Directory DNS SRV records available as well. Both UDP and TCP are used.
88: This is the port used for doing Kerberos authentication and requesting Kerberos service tickets against Active Directory Domain Controllers. TCP is now used by default.
123: Used for NTP for time-synchronization with Active Directory.
389: This the port used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting the Active Directory site membership.
445: Used to receive Group Policy over CIFS uses TCP.
464: This is the port used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Authentication Services always uses TCP for password operations.
3268: This is the port used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.