Kerberos Network Ports

To enable the clients outside of the corporate firewall to communicate with the KDC and Kerberized services inside the firewall, some ports must be opened on the corporate firewall (Table 6-1).

Table 6-1. Kerberos 5 ports for client-to-KDC communication

Machine

Local port (server)

Remote port (client)

Description

All KDCs

88/udp 88/tcp

Above 1024

Kerberos 5 ticket service

All KDCs

749/tcp

Above 1024

Kerberos 5 kpasswd service for client password changes

All KDCs

4444/udp

Above 1024

Kerberos 5 to 4 ticket conversion service

All KDCs

749/tcp

Above 1024

Kerberos 5 administration service (MIT and Heimdal)

Master/Administrative KDC

464/udp

Above 1024

Kerberos 5 password changing service (older password-changing protocol)

Strictly speaking, the only port that needs to be open for Kerberos to function properly is 88. The other ports can be opened as needed to provide their respective services to clients outside of the firewall.

Because of the inherent flaws in the Kerberos 4 protocol, it is not recommended that you open Kerberos 4 to the Internet. However, if you must open Kerberos 4 through your firewall, Table 6-2 lists the ports that it uses for client/KDC communication.

Table 6-2. Kerberos 4 ports for client-to-KDC communication

Machine

Local port (server)

Remote port (client)

Description

All KDCs

750/udp750/tcp

Above 1024

Kerberos 4 ticket service

All KDCs

751/udp751/tcp

Above 1024

Kerberos 4 admin service

All KDCs

761/tcp

Above 1024

Kerberos 4 password changing service

Get Kerberos: The Definitive Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.