I think you are seeing different answers because people are using different services.
I do not believe there is a single port NTLM authentication. If you are connecting to a HTTP service, then the authentication is passed over the HTTP headers. If you are connecting to an SMB share, then the credentials can be tunnelled over the SMB commands to port 445. If you are connecting to an RPC based service, then it'll probably be a random high order port (unless the remote component listens on a specific port). Cheers Ken ________________________________ From: Christopher Bodnar [[email protected]] Sent: Thursday, 5 November 2009 7:51 AM To: NT System Admin Issues Subject: NTLM authentication question Can someone give me a brief overview of the communication that takes place when a client falls back to NTLM for Domain Authentication after Kerberos fails? I’m interested in the ports it’s using not the actual handshake that takes place. I’ve read a few things that say its UDP 137, UDP 138, and TCP 139, others that it can be dynamic. All help appreciated. Thanks, Chris Bodnar, MCSE Sr. Systems Engineer Infrastructure Service Delivery Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
