Kerberos Authentication failed due to time skew

 

Here is a case we recently worked on about Kerberos authentication issue.

 

Symptoms:

Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.

 

Analysis:

In IIS log, it records "401 1 2148074241" that indicates the handle specified is invalid.

 

2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/dddd.aspx - 80 - 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254

 

In Security log, the system was receiving Event ID 537 log.

 

Event Type: Failure Audit

Event Source:Security

Event Category: (2)

Event ID: 537

Date: 4/15/2009

Time: 3:47:32 PM

User: NT AUTHORITY\SYSTEM

Computer: XXX

Description:

Logon Failure:

  Reason: An error occurred during logon

  User Name:

  Domain:

  Logon Type: 3

  Logon Process: Kerberos

  Authentication Package: Kerberos

  Workstation Name: -

  Status code: 0xC000006D

  Substatus code: 0xC0000133

  Caller User Name: -

  Caller Domain: -

  Caller Logon ID: -

  Caller Process ID: -

  Transited Services: -

  Source Network Address: 10.101.nn.nn

  Source Port: 1310

  Caller Process Name: %16

 

Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.

 

In the network trace, we also can see

 

HTTP KRB Error: KRB5KRB_AP_ERR_SKEW (text/html)

 

The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.

 

Check the timestamp between client and server network traces to verify that there is 13 minutes difference.

 

Solution:

 

It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:

 

Verifying Computer Settings for Troubleshooting Kerberos

http://technet.microsoft.com/en-us/library/cc787535.aspx

 

------------------------------------------------------------------

Make sure that the clocks are synchronized across the domain.

Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.

To synchronize the computer's time with the current time on the domain

 

1. Click Start, and then click Run.

2. Type net time /domain /set, and then click OK.

-------------------------------------------------------------------

 

More information:

How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication 

http://support.microsoft.com/kb/215383/

 

Regards,

 

Anik Shen