AD auth & Wireshark

Hi

My domain is kamuk.com and is AD 2008. I have a Windows 2008 server that runs ApplicationA... to log onto it, it's supposed to carry out a query against AD so that I can use my AD username and password.

This doesn't seem to be working. I would like to check whether ApplicationA is even querying AD.

I guess the best way to do this would be to run Wireshark whilst attempting to log on? We have several DC's in our site, so I can't filter by all their IP addresses, so I think destination port would be easiest. Should I check for either 386 or 3268?

If so, which one is used for authentication?

Any help appreciated
LVL 3
kam_ukAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Mike KlineConnect With a Mentor Commented:
You can install it on the application server and filter for ports 389 (LDAP) and 3268 (GC) to look for lookups against a DC.  You can also filter on the DC IP address

ip.dst==192.168.0.0/16 (just an example) or ip.dst==ipaddresshere

Thanks

Mike
0
 
kam_ukAuthor Commented:
Thanks Mike.

So if there is no traffic to port 389/3268, then there is no AD lookup taking place?

And which particular port does it use (or does it use both) for authentication for an application?
0
 
Mike KlineCommented:
Authentication uses kerberos, (port 88).  Yeah so no ports 389 and 3268s at all from the server?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
kam_ukAuthor Commented:
Hi

Nope, nothing on 389 or 3268..I guess a prob with the app then?

Out of interest -

1. Should I also be checking for port 88 (which isn't there anyway)?

2. Should it be port 389 OR 3268, or port 386 AND 3268? I mean, does the app use both or one of them?

3. If one of the two ports, then what defines which?

Thanks again!
0
 
Mike KlineCommented:
389 is just the LDAP lookup where 3268 will search the GC.  It depends on the application, odd you ar not seeing any traffic on any ports.
0
 
kam_ukAuthor Commented:
Thanks again, I'm still a little confused on whether the app would use 389 or 3268 to be honest. All the app needs to do is verify someone's AD credentials to allow them access to the app.....in a multidomain forest...so would it use both, or just one?

I think there's a problem with the app where it's not querying AD for whatever reason?
0
 
kam_ukAuthor Commented:
Any idea, Mike?
0
 
Mike KlineCommented:
Not sure, I would have expected the app to use one of the ports (LDAP or the GC).  What does the capture show.

Thanks

Mike

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.