Please help as I don't understand how a computer logs onto a domain

Discussion in 'Windows Networking' started by Jacques Koorts, May 26, 2004.

  1. I'm reading Mark Minasi's book Mastering Windows 2000 Server 4th Ed, and
    have this question.

    The book says that when trying to logon your computer looks for servers with
    port 88 and 389 open. Well I did a port scan on my DC and saw that only port
    88 was open. I could logon just fine. Then I closed port 88 (Stopped the
    kerberos service), and still are able to logon (the login script is running
    fine, and typing "Set" at the command prompt gives me a server).

    So how now?

    Hope someone can shed some light on this.

    Kind regards
    Jacques Koorts, May 26, 2004
    1. Advertisements

  2. Unless you've configured your server to -only- allow Kerberos
    authentication, clients will attempt "lower" authentication protocols if
    Kerberos fails:

    If Kerberos fails, they'll try NTLMv2
    If NTLMv2 fails, they'll try NTLM
    If NTLM fails, they'll try LM

    This is how down-level clients are able to connect to more modern Windows
    2000 servers even though they do not support things like Kerberos. By
    default, Windows 2000 will allow clients to negotiate authentiction
    protocols all the way down to LM. (I think 2003 asks for a minimum of NTLM
    by default, but look that up before you quote me on it.)

    Mark has an -exhaustive- column on the topic of down-level clients and
    LM/NTLM credentials that is simply required reading: (link requires free
    Laura E. Hunter \(MVP\), May 26, 2004
    1. Advertisements

  3. Thanks laura, that was quite an interesting article.
    Jacques Koorts, May 26, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.