Kerberos Authentication failed due to time skew


Here is a case we recently worked on about Kerberos authentication issue.



Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.



In IIS log, it records "401 1 2148074241" that indicates the handle specified is invalid.


2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/dddd.aspx - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254


In Security log, the system was receiving Event ID 537 log.


Event Type: Failure Audit

Event Source:Security

Event Category: (2)

Event ID: 537

Date: 4/15/2009

Time: 3:47:32 PM


Computer: XXX


Logon Failure:

  Reason: An error occurred during logon

  User Name:


  Logon Type: 3

  Logon Process: Kerberos

  Authentication Package: Kerberos

  Workstation Name: -

  Status code: 0xC000006D

  Substatus code: 0xC0000133

  Caller User Name: -

  Caller Domain: -

  Caller Logon ID: -

  Caller Process ID: -

  Transited Services: -

  Source Network Address: 10.101.nn.nn

  Source Port: 1310

  Caller Process Name: %16


Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.


In the network trace, we also can see


HTTP KRB Error: KRB5KRB_AP_ERR_SKEW (text/html)


The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.


Check the timestamp between client and server network traces to verify that there is 13 minutes difference.




It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:


Verifying Computer Settings for Troubleshooting Kerberos



Make sure that the clocks are synchronized across the domain.

Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.

To synchronize the computer's time with the current time on the domain


1. Click Start, and then click Run.

2. Type net time /domain /set, and then click OK.



More information:

How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication




Anik Shen