https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/79128#M43162 <P>This documentation on MS TechNet details the AD port requirements and their function.</P> <P>&nbsp;</P> <P><A href="https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx" target="_blank">https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx</A></P> Sun, 05 Jun 2016 12:01:12 GMT pulukas 2016-06-05T12:01:12Z https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/78855#M43053 <P>Trying to narrow it down and determine the minimum set of applications/services that need to be allowed for a user to login into a Windows 7 client in one zone and authenticate against a Server 2008R2 AD Domain Controller in a different zone? The Windows 7 client is a member of the domain. Need the ability for users to change passwords, access a read-only file share and also for GPO to work.</P> <P>&nbsp;</P> <P>Any ideas are very much appreciated.</P> <P>&nbsp;</P> Tue, 31 May 2016 22:30:01 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/78855#M43053 PierreJvR 2016-05-31T22:30:01Z https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/79128#M43162 <P>This documentation on MS TechNet details the AD port requirements and their function.</P> <P>&nbsp;</P> <P><A href="https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx" target="_blank">https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx</A></P> Sun, 05 Jun 2016 12:01:12 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/79128#M43162 pulukas 2016-06-05T12:01:12Z https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/79950#M43265 <P>Thanks Steve,</P> <P>&nbsp;</P> <P>This is a useful TechNet article, but it is about DC to DC communications; I'm looking for client to DC communications info.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Pierre</P> Wed, 08 Jun 2016 14:42:57 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/79950#M43265 PierreJvR 2016-06-08T14:42:57Z https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/83731#M43324 <P>Can't seem to find the client to DC article. &nbsp;But here are the ports I pulled when setting this up a few years back.</P> <P>&nbsp;</P> <P>53/tcp and 53/udp (only if the DC is also the&nbsp;DNS source)<BR />749/udp<BR />88/tcp/udp<BR />389/tcp/udp<BR />3268/tcp&nbsp;</P> <P>445/tcp/udp<BR />123/udp<BR />135/tcp</P> <P>tcp random range:&nbsp;49152 to&nbsp;65535</P> Fri, 10 Jun 2016 23:51:07 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/83731#M43324 pulukas 2016-06-10T23:51:07Z https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/86967#M43429 <P>Hello and sorry for the late reply. Here are the applications I have setup for my cross zone AD authentication:</P> <P>&nbsp;</P> <P>active-directoy</P> <P>dns</P> <P>kerberos</P> <P>ldap</P> <P>ms-ds-smb</P> <P>ms-kms</P> <P>ms-netlogon</P> <P>ms-product-activation</P> <P>msrpc</P> <P>netbios-dg</P> <P>netbios-ns</P> <P>netbios-ss</P> <P>ntp</P> <P>ssl</P> <P>&nbsp;</P> <P>I'm sure you might not need all, but its a start.</P> <P>&nbsp;</P> <P>Cheers!</P> Wed, 15 Jun 2016 14:07:12 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-for-ad-authentication-across-zones/m-p/86967#M43429 OtakarKlier 2016-06-15T14:07:12Z