Kerberos Network Ports
To enable the clients outside of the corporate firewall to communicate with the KDC and Kerberized services inside the firewall, some ports must be opened on the corporate firewall (Table 6-1).
Machine | Local port (server) | Remote port (client) | Description |
All KDCs | 88/udp 88/tcp | Above 1024 | Kerberos 5 ticket service |
All KDCs | 749/tcp | Above 1024 | Kerberos 5 kpasswd service for client password changes |
All KDCs | 4444/udp | Above 1024 | Kerberos 5 to 4 ticket conversion service |
All KDCs | 749/tcp | Above 1024 | Kerberos 5 administration service (MIT and Heimdal) |
Master/Administrative KDC | 464/udp | Above 1024 | Kerberos 5 password changing service (older password-changing protocol) |
Strictly speaking, the only port that needs to be open for Kerberos to function properly is 88. The other ports can be opened as needed to provide their respective services to clients outside of the firewall.
Because of the inherent flaws in the Kerberos 4 protocol, it is not recommended that you open Kerberos 4 to the Internet. However, if you must open Kerberos 4 through your firewall, Table 6-2 lists the ports that it uses for client/KDC communication.
Machine | Local port (server) | Remote port (client) | Description |
All KDCs | 750/udp750/tcp | Above 1024 | Kerberos 4 ticket service |
All KDCs | 751/udp751/tcp | Above 1024 | Kerberos 4 admin service |
All KDCs | 761/tcp | Above 1024 | Kerberos 4 password changing service |
Get Kerberos: The Definitive Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.