Wednesday, March 28, 2018

If I Can't Reach Active Directory, it's Down

Unless it's not.

I recently had a customer tell me that my AD servers were broken. They were unable to set SPNs via Setspn.

They were able to run AD queries and were able to do other "AD Stuff". As always, I demanded a packet capture.

In very short order, the issue was clear. Setspn, for reasons I cannot guess, uses RPCs to the domain controller to set SPNs. I have not clue why it doesn't just use LDAP. LDAP is better, it only requires one port, that we know will be open.

RPCs are a pain, they require TCP 135, the end point mapper, then some random high port, named at the time of connection.

Below, we see that the customer hit the EPM in Frame 873 and was assigned a new connection on port 1028. We the SYN to 1028 in 874, then retries in 966 and 1146.

Firewalls and windows RPCs don't mix. Click here for larger.


RPC OPEN ALL THE PORTS!!

5 comments:

Digital Marketing Company said...

If you are stuck with your device and need expert solution, then reach our antivirus customer support number now.
Antivirus Technical Support
Antivirus Tollfree Number

Norton Setup said...

Norton Product Key can be found on the Norton.com/setup page. And if you have purchased the CD from a local retail store or from online, then the Norton product key is either inside the box or over the box in the form of sticker/print.

Anonymous said...

If you have any query related office,cash app, notton visit us for solution...

office.com/setup
App Development
Cash App Contact
Office365.com/setup
Norton Setup Activation

Anonymous said...

Seeking Arrangement Profile Approved
Brother Printer Troubleshooting
Icloud SMTP Server Setup
Avast Antivirus Help
Independant Call Girls in Delhi
Delhi Escort Services

Anonymous said...

www.office.com/setup
Independant Call Girls in Delhi
Brother Printer Troubleshooting
Icloud SMTP Server Setup
Avast Antivirus Help
Delhi Escort Services
Roku Official Team Contact Information

Inputting falsified referrals to this site violates the terms of service of this site and is considered unauthorized access (hacking).