First published on TECHNET on Jun 25, 2010
Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment
The information was developed by Microsoft Consultant Services during one of our customer engagements
Protocol
|
Port
|
From
|
To
|
Action
|
Comments
|
Kerberos
|
464
|
Certificate Enrollment Web Services
|
Domain Controllers (DC)
|
Allow
|
Source Certificate Enrollment Web Services
Destination : DC
Service : Kerberos (network port tcp/464)
|
LDAP
|
389
|
Certificate Enrollment Web Services
|
Domain Controllers (DC)
|
Allow
|
Source Certificate Enrollment Web Services
Destination: DC
Service: LDAP (network port tcp/389)
|
LDAP
|
636
|
Certificate Enrollment Web Services
|
Domain Controllers (DC)
|
Allow
|
Source Certificate Enrollment Web Services
Destination: DC
Service: LDAP (network port tcp/636)
|
DCOM/RPC
|
Random port above port 1023 |
· Certificate Enrollment Web Services
· All XP clients requesting certs
|
CA |
Allow
|
Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us
|
HTTPS
|
443
|
All clients requesting certs
|
Certificate Enrollment Web Services
|
Allow
|
Source: Windows 7 client
Destination:
Service: https (network port tcp/443)
Certificate Enrollment Web Services
|
Updated Nov 09, 2023
Version 3.0NoMoePwds
Microsoft
Joined April 05, 2019
Core Infrastructure and Security Blog
Follow this blog board to get notified when there's new activity