Kerberos tickets are issued even though the time difference between the client clock and the domain controller clock is greater than the "Maximum tolerance for computer clock synchronization" value

Article translations Article translations
Article ID: 956627 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

This article describes behavior in which Kerberos tickets are issued even though the time difference between a client clock and a domain controller clock is greater than the "Maximum tolerance for computer clock synchronization" value.

For example, assume that you have configured the Maximum tolerance for computer clock synchronization Group Policy setting in a domain environment. A Windows Server 2003-based domain controller may issue a Kerberos ticket to a client computer even though the time difference between the client clock and the domain controller clock is more than the value that you configured for this Group policy setting.

Note The default value for the Maximum tolerance for computer clock synchronization setting is five minutes.

MORE INFORMATION

If a client computer sends a time stamp whose value differs from that of the server’s time stamp by more than the value that you configured in the Maximum tolerance for computer clock synchronization setting, the domain controller returns a "KRB_AP_ERR_SKEW" error code in its response packet. In this packet, the domain controller also includes a time stamp of its own clock. When the client computer receives this packet, it uses the time stamp of the domain controller together with the value of the Maximum tolerance for computer clock synchronization setting to calculate the valid time. Then, the client computer uses the valid time to retry the request. On this second try, the Kerberos ticket is issued to the client computer.

This behavior is documented in Request for Comments (RFC) 4430, "Kerberized Internet Negotiation of Keys (KINK)." To see RFC 4430, visit the following Request for Comments Web site:
ftp://ftp.rfc-editor.org/in-notes/rfc4430.txt
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

If the clock of the client computer is faster than the clock time of the domain controller plus the lifetime of Kerberos ticket, the Kerberos ticket is invalid. In this scenario, the logon fails.

By default, the lifetime of a Kerberos ticket is 10 hours (600 minutes). To modify the lifetime value, configure the following Group Policy settings:
  • Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum Service Ticket Lifetime
  • Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum User Ticket Lifetime
For more information about the Maximum tolerance for computer clock synchronization Group Policy setting, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc779260.aspx

Properties

Article ID: 956627 - Last Review: September 2, 2008 - Revision: 1.1
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbexpertiseadvanced kbinfo KB956627

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com