I have a IIS on a server which is a member of an AD domain. The app is using Windows Integrated Authentication and users want single sign-on. Besides the web app's port (80) are there additional ports required:
- Between the client PC and the web server?
- Between the web server and the domain controllers?
I am asking this because the customer is putting the web server behind a firewall and will open specific ports upon request only.
1 Answer
No, there aren't. Client authentication data is sent in the standard HTTP Authorization: header. Kerberos tokens are validated by the server itself (against its keytab or 'machine password'), and using the regular AD login protocol for NTLM.