I had an interesting issue today with enabling AD authentication on a ESX4 host. On ESX3.5, when you run : esxcfg-auth –enablad, it will open all the needed ports on the ESX console.

In ESX4 it opens port 88 UDP, but this did not work. As soon as we openend 88 TCP we could use our AD account to login via ssh.

Looking at /etc/vmware/firewall/services.xml you will see that port 88 UDP is specified as activeDirectorKerberos.  Reading this wiki the following is mentioned :

“UDP TCP: Originally Kerberos used UDP as its transport protocol but modern implementations also support TCP to overcome PDU size limitations in UDP. All modern clients support TCP but older clients might not.”

(Definition of PDU is here)

Thanks for Craigh Stuart for pointing this out.

This entry was posted on 03/11/2009 at 21:42. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Posted in VMware by HStrydom No Comments Yet