Required firewall ports for importing Active Directory profiles with MOSS


In very secure environments, your Active Directories may not be completely available to your MOSS machine, especially if you have AD trusts involved.  I had a particular case where MOSS was installed in a Win2k3 forest that trusts a very secure Win2k forest "one way".  What I mean by very secure is that MOSS only had ports opened to its DC and that DC had the ports opened for the trust to the 2nd forest (and to a single DC).

 

Then came the issue with importing profiles from both forests in the MOSS SSP.  At first, we thought that only the LDAP ports would be required but we then found out that there are 2 types of imports : Active Directory and LDAP.  The LDAP one requires using an LDAP MembershipProvider.  While you can use the ActiveDirectoryMembership, that would mean using Forms Based Authentication and we weren't planning to use that.

 

So if you use Windows Integrated authentication, you need to use the Active Directory profile import.  Luckily, we didn't have a firewall to the "host" forest so no issues there.  The fun started when we tried to import from the Win2k domain and finding an exact response of which ports were required for that feature only proved to be challenging and we couldn't simply open all ports.  Here's the ones we needed to open:

  • 389 (UDP / TCP) for LDAP
  • 135 (TCP) for RPC
  • 139 (TCP) for communication, then the DCOM port (TCP) that is returned by the 139 request.
  • 88 (TCP) for kerberos authentication
  • *445 (TCP) (Directory services) might be required but I didn't see it in the network monitoring logs

 

Note that we didn't have 88 opened at first and the import process was going at a pace of 4-6 profiles per minutes ...  it was going through ... just painfully slow.  When we opened it, it was going at a pace of 1000+/min.

 

Note also that, when you edit a connection and you want to specify a domain controller, a drop-down must appear with a list of DC.  If the list of DC doesn't show, it's because 139 and the DCOM port aren't opened.  We also found a bug if you go back to re-edit the connection, the "auto-discover" radio button is ALWAYS selected by default.  You need to change it back to "specify a domain controller" or else, if you do a modification, it will activate the auto-discovery.

 

Last, if you do not want to import accounts that are disabled, enter this in the "user filter" : (&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2))).

 

Maxime

Comments (3)
  1. BlueSky2010 says:

    Hi Maxime,

    I'm importing from LDAP source and seeing error message (SPSImport Exception from HRESULT: 0x8004400C (Error (0x8007203a)) also described in the following thread. I've checked ports per your suggestion and they all seems to be open except 88. I'm not using Kerberos authentication and don't know whether 88 port is a requirement or not. Also most of the users (43 k) import fine only few thousands aren't. I used to see this exception before but profile were getting imported fine. Not sure what caused it to partially stop now.

    Do you have any suggestion for me?

    Many thanks in advanced!

    social.technet.microsoft.com/…/991110c5-d396-481e-ba27-40da6ec4b8f7

  2. wouldn't be surprised if 88 helps for that actually — it's not only used for Kerberos authentication but also for other AD communications.  I'd try that.

Comments are closed.

Skip to main content