Skip to main content
Computing at CornellCIT Contact Center (HelpDesk)

SideCar and Firewalls FAQ

What is SideCar?
SideCar is a program that allows Kerberos authentication through applications that don't normally support Kerberos. The most common use of SideCar at Cornell is to restrict web pages. Most web browsers do not support Kerberos authentication, so SideCar runs alongside the browser to handle authentication.

What is Kerberos?
Kerberos is a protocol that allows authentication without sending passwords over the network. For more information about Kerberos, please visit this web page: http://www.cit.cornell.edu/kerberos/about.html

How does SideCar work?
SideCar is a server that listens for incoming connection on port 913. When you try to access a restricted service at Cornell (for example WebMail or Library resources), the web server connects to SideCar on your computer to prompt you for your NetID and password.

For example, when you try to check your e-mail with WebMail the following steps occur:

  1. Your web browser connects to the web server (webmail.cornell.edu) at port 80.
  2. The web server connects to SideCar on your computer at port 913.
  3. SideCar prompts you for your NetID and password.
  4. SideCar checks with the Kerberos server to confirm your identity.
  5. SideCar sends a message back to the web server, confirming your identity.
  6. The web server sends the requested web page back to your web browser.

Why does SideCar require special configuration of a firewall?
SideCar works by acting as a server, and listening for incoming connections to port 913. Most firewalls are set to block any incoming connection, and because of this SideCar will not function properly. When the remote server requests a connection to port 913 on your computer, the requests is blocked by the firewall.

How can I use SideCar behind a firewall?
Using SideCar behind a firewall requires allowing incoming connections to port 913 to pass through the firewall. The instructions on how to do this are different for all firewalls.
For instructions on how to get SideCar to work behind the built-in Windows XP firewall, please visit this web site: http://www.cit.cornell.edu/helpdesk/win/kerb/winxp_firewall.html.
For instructions on how to get SideCar to work behind the built-in Mac OS X 10.2 firewall, please visit this web site:
http://www.cit.cornell.edu/helpdesk/mac/kerberos/kerbfirewall.html
For other firewall products, please consult the documentation for your firewall.

Why won't SideCar work behind a NAT (Network Address Translator)?
When you first connect to a remove server, you send your IP address to the remote server. The server then tries to connect to SideCar using that same IP address. When you are behind a NAT (such as when you are sharing an internet connection), your computer has a private IP address. When you try and access the internet, your IP address is masked and replaced by a shared IP address. When the remote server tries to find SideCar at that shared IP address, it cannot find your computer and the connection fails.

How can I use SideCar with a NAT?
Unfortunately, there is no secure way to get SideCar working behind a NAT.

Return to the Firewalls at Cornell web page.