Well, you were obvious much more motivated and had more time to search than I did.
Good find. Kurt On Thu, Nov 10, 2016 at 11:40 AM, Christopher Bodnar < [email protected]> wrote: > OK, based on this, I think he is correct: > > > > I’ve been running a WireShark trace on a few DCs today (2008 domains and > 2012 domains), and not seeing any UDP 88 traffic. I did find this: > > > > > > https://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx > > > > So basically since Vista, and 2008, if a Kerberos packet is over 1 byte > (which will be everything) it will send it as TCP instead of UDP, since > this registry key now is part of the operating system. > > > > > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Kurt Buff > *Sent:* Thursday, November 10, 2016 12:53 PM > *To:* ntsysadm <[email protected]> > *Subject:* Re: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 > R2 > > > > I'd ask that colleague where he got the idea. I'm not seeing any > documentation on this either. > > But, I did see this, which is interesting, even if unrelated: > http://blogs.msmvps.com/acefekay/2016/11/01/active-directory-flexible- > authentication-secure-tunneling-fast/ > > Kurt > > > > On Thu, Nov 10, 2016 at 6:29 AM, Christopher Bodnar < > [email protected]> wrote: > > A colleague told me that these operating systems no longer use UDP 88 for > Kerberos, that they only use TCP. Is that correct? If so, can someone point > me to an MS document that discusses this? I’ve looked and haven’t been able > to find anything. I am aware that you can force Kerberos to use TCP: > > > > > > https://support.microsoft.com/en-us/kb/244474 > > > > But that isn’t what he is talking about. > > > > Thanks > > > > > > *Christopher Bodnar* > Enterprise Architect II, Corporate Office of Technology:Enterprise > Architecture and Engineering Services > > Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 > [email protected] > > > > * The Guardian Life Insurance Company of America* > > * www.guardianlife.com <http://www.guardianlife.com/>* > > > > > ------------------------------ > > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > > > ------------------------------ > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > >
