OK, based on this, I think he is correct: I’ve been running a WireShark trace on a few DCs today (2008 domains and 2012 domains), and not seeing any UDP 88 traffic. I did find this:
[cid:image001.png@01D23B60.53FD8AF0] https://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx So basically since Vista, and 2008, if a Kerberos packet is over 1 byte (which will be everything) it will send it as TCP instead of UDP, since this registry key now is part of the operating system. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Thursday, November 10, 2016 12:53 PM To: ntsysadm <ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2 I'd ask that colleague where he got the idea. I'm not seeing any documentation on this either. But, I did see this, which is interesting, even if unrelated: http://blogs.msmvps.com/acefekay/2016/11/01/active-directory-flexible-authentication-secure-tunneling-fast/ Kurt On Thu, Nov 10, 2016 at 6:29 AM, Christopher Bodnar <christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>> wrote: A colleague told me that these operating systems no longer use UDP 88 for Kerberos, that they only use TCP. Is that correct? If so, can someone point me to an MS document that discusses this? I’ve looked and haven’t been able to find anything. I am aware that you can force Kerberos to use TCP: https://support.microsoft.com/en-us/kb/244474 But that isn’t what he is talking about. Thanks Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459<tel:610-807-6459> 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com<mailto:christopher_bod...@glic.com> The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
