Access Keys:
Skip to content (Access Key - 0)

Why does Kerberos care what time it is?

Answer

Kerberos authentication uses time stamps as part of its protocol. When the clocks of the Kerberos server and your computer are too far out of synchronization, you cannot authenticate properly. Both the Kerberos server and the Kerberos client depend on having clocks that are synchronized within a certain margin. This margin is normally 5 minutes.

The Date and Time on a machine running Microsoft Windows will need to be "accurately" set. If the date or time is off "too far", Kerberos authentication will not work.

In this release if a clock skew error is detected, the libraries attempt to resynchronize the clock to the network time automatically one time. The user will be warned that this has occured. If this fails or if a clock skew is detected again later the user will have to manually resynchronize the machine time to the Kerberos server's time. The Leash application provides a button which will attempt to resynchronize the clock.

By default the server that the libraries will contact when synchronizing the time is "TIME". The domain name has been left off on purpose. If local system administrators create a machine with a CNAME of time within the local domain the clients will contact this machine by default.

If your local system administrators are opposed to doing this for some reason, you can edit the resource LSH_TIME_HOST in the leashwXX.dll to the name appropriate for your local site. You can also edit the header files from the source distribution and recompile for your local site. However, this is not recommended.

You can also avoid this problem by running a local, properly configured, ntp program on your machine.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

March 30, 2011

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
kerberos kerberos Delete
time time Delete
synchronize synchronize Delete
ntp ntp Delete
authentication authentication Delete
clock clock Delete
authenticate authenticate Delete
stamp stamp Delete
c-kerberos c-kerberos Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki