Ports required for single sign-on to domain web server

I have a IIS on a server which is a member of an AD domain. The app is using Windows Integrated Authentication and users want single sign-on. Besides the web app’s port (80) are there additional ports required:

• Between the client PC and the web server?
• Between the web server and the domain controllers?

I am asking this because the customer is putting the web server behind a firewall and will open specific ports upon request only.

Related:

• Event ID 6143 (Windows SharePoint Services health model)
• Event ID 697 — Federation Service Authentication Web Pages
• Event ID 124 — Windows NT Token-Based Application Configuration
• The authentication package value ({value}) is not supported on server {server name}. Check the Connections tab on the Connection Agreement. {connection agreement name}
• Microsoft Exchange Server has detected that Basic Authentication is being attempted between this server and server ‘%1’. This authentication mechanism is not secure and it is not supported between front-ends and back-ends. If this condition persists, please verify that server ‘%1’ is properly configured to use Integrated Windows Authentication for each virtual directory used by Exchange. After applying any changes it may be necessary to restart Internet Information Services on both the front-end and back-end servers.