Here is a case we recently worked on about Kerberos authentication issue.
Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.
In IIS log, it records “401 1 2148074241” that indicates the handle specified is invalid.
2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/dddd.aspx – 80 – 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254
In Security log, the system was receiving Event ID 537 log.
Event Type: Failure Audit
Event Category: (2)
Event ID: 537
Time: 3:47:32 PM
User: NT AUTHORITY\SYSTEM
Reason: An error occurred during logon
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: –
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: –
Caller Domain: –
Caller Logon ID: –
Caller Process ID: –
Transited Services: –
Source Network Address: 10.101.nn.nn
Source Port: 1310
Caller Process Name: %16
Generally, status code 0xC000006D means “STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.
In the network trace, we also can see
HTTP KRB Error: KRB5KRB_AP_ERR_SKEW (text/html)
The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.
Check the timestamp between client and server network traces to verify that there is 13 minutes difference.
It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:
Verifying Computer Settings for Troubleshooting Kerberos
Make sure that the clocks are synchronized across the domain.
Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.
To synchronize the computer’s time with the current time on the domain
1. Click Start, and then click Run.
2. Type net time /domain /set, and then click OK.
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication