Kerberos Authentication failed due to time skew


 

Here is a case we recently worked on about Kerberos authentication issue.

 

Symptoms:

Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.

 

Analysis:

In IIS log, it records "401 1 2148074241" that indicates the handle specified is invalid.

 

2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/dddd.aspx - 80 - 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254

 

In Security log, the system was receiving Event ID 537 log.

 

Event Type:   Failure Audit

Event Source:Security

Event Category:       (2)

Event ID:       537

Date:            4/15/2009

Time:            3:47:32 PM

User:            NT AUTHORITY\SYSTEM

Computer:     XXX

Description:

Logon Failure:

          Reason:                  An error occurred during logon

          User Name:  

          Domain:                 

          Logon Type:   3

          Logon Process:         Kerberos

          Authentication Package:       Kerberos

          Workstation Name:   -

          Status code:  0xC000006D

          Substatus code:       0xC0000133

          Caller User Name:    -

          Caller Domain:         -

          Caller Logon ID:       -

          Caller Process ID:     -

          Transited Services:   -

          Source Network Address:    10.101.nn.nn

          Source Port:  1310

          Caller Process Name:          %16

 

Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”.  The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.

 

In the network trace, we also can see

 

HTTP  KRB Error: KRB5KRB_AP_ERR_SKEW (text/html)

 

The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.

 

Check the timestamp between client and server network traces to verify that there is 13 minutes difference.

 

Solution:

 

It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:

 

Verifying Computer Settings for Troubleshooting Kerberos

http://technet.microsoft.com/en-us/library/cc787535.aspx

 

------------------------------------------------------------------

Make sure that the clocks are synchronized across the domain.

Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.

To synchronize the computer's time with the current time on the domain

 

1.    Click Start, and then click Run.

2.    Type net time /domain /set, and then click OK.

-------------------------------------------------------------------

 

More information:

 

How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication 

http://support.microsoft.com/kb/215383/

 

Regards,

 

Anik Shen

 

Skip to main content