Skip to content

kpasswd and Windows clients


So one of the firewall guys asked me about some drops on port 464 (kpasswd) for a new client location we setup in Paris. I was under the impression MS included kpasswd for UNIX interoperability, as I was pretty sure that MS operating systems didn’t use it. No issues had been reported changing passwords, even though many new users were at the site and would have been forced to change. Some new Windows 7 machines had been installed at the site, some of the first at our organisation (yes we are behind!).

I couldn’t get hold of any users onsite so I got wireshark on a test W7 machine talking to a test 2008 functional level domain and took a look at the traces when changing password using ctrl+alt+del ‘change password’ option. Sure enough, Win7 uses KPASSWD protocol to change passwords. From the trace below (filter “dns || ntlmssp || kerberos || samr”) you can see the client sends AS_REQ to the authentication server and obtains a ticket for the kadmin/changepw SPN (another type of ticket the AS issues besides the TGT):

On receiving the response it sends the KPASSWD packet to the DC and receives the response (you can take my word for it that it was ‘success’), then issues new requests based on the new password:

I tested various scenarios and in fact the same situation occurs for Win7 clients talking to 2003 (functional level and all 2003 DCs), whether this is a client and server in same forest, or in different domains both forest trust and external trust. (This was the situation with the site we setup, since that domain was at 2003 level.)

The situation when using an XP client is entirely different (I didn’t have a Vista client to test – who does in a commercial environment?). XP always uses SAMR (RPC-over-SMB, on 445/tcp), whether it is talking to a 2008 or 2003 based domain, either in the same forest or a trusted (external or forest) domain:

On my test Win7 box I blocked port 464 tcp/udp and sure enough it still allowed the password change, but reverted to SAMR like XP (in my trace I guess you don’t see the KPASSWD request since Comodo firewall blocked it before Wireshark saw it):

So, given that Win7 ALWAYS defaults to KPASSWD (for any 2003 or 2008 domain, trusted or single domain) why isn’t _kpasswd port 464 in the Microsoft list of domain ports that we supply to our firewall teams?

EDIT: looks like they added it finally, better late than never…

One Comment

Trackbacks & Pingbacks

  1. Kerberos | NG

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: