Fermilab Computing Sector

Open Ports Needed by Kerberos

Policy Guidelines

Restricted Access
To enable clients behind firewalls (outside Fermilab) to communicate with the Kerberos KDC (Key Distribution Center servers) and Kerberized services at Fermilab, some ports must be opened on the firewall (note this may also apply to host-based firewall software as well) as listed in the table below. These are the ports that the Fermilab KDCs and KCAs (Kerberized Certificate Authorities) are listening to. In addition, the Fermilab KDCs and KCAs are in the address block (except for the KDC at Soudan which is in the address block

Scroll down to the bottom of the page for the table of  port numbers used by Kerberos.

UDP Ports TCP Ports
To get tickets, including the initial TGT 88 88
To change password from UNIX/Linux, also for Kerberos DB
adminitration access (kadmin)
To change password with WRQ Reflections from Windows 464 464
If you need AFS tokens with your Kerberos tickets 749 and 4444
Used by kx509 to access the KCA server 9878
Used by AFS Servers may be needed by AFS Clients 7000-7007

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by FJN on October 25, 2012.
(Address comments about page to the Computer Security Team.)