Help and Support

Article ID: 938454 - Last Review: February 25, 2009 - Revision: 2.0

Error message when you try to log on to a Windows Vista-based client computer across a domain trust: "There is a time and/or date difference between the client and server"

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario. You have a domain on which user accounts reside and another domain on which computer accounts reside. You have established a trust relationship between these domains. However, when you try to log on to a Windows Vista-based client computer across the trust, the logon process fails. Additionally, you receive an error message that contains a white “X” inside a red circle. The text of this error message resembles the following:
There is a time and/or date difference between the client and server.
Note This issue occurs even though there is no significant time difference between the client computer and the server. This issue occurs only on Windows Vista-based client computers.
Back to the top

CAUSE

This issue occurs on Windows Vista-based client computers if the following conditions are true:
  • The Do not require Kerberos preauthentication check box is selected for the user account.
  • The domain controller that manages the Active Directory user accounts contains the following version of the Kdcsvc.dll file or an earlier version:
    kdcsvc 5.2.3790.2464 (srv03_sp1_rtm.050324-1447)
Back to the top

RESOLUTION

To resolve this issue, install Microsoft Windows Server 2003 Service Pack 2 (SP2) on the domain controller that manages the Active Directory user accounts. For more information about how to obtain the latest service pack for Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
889100  (http://support.microsoft.com/kb/889100/ ) How to obtain the latest service pack for Windows Server 2003
Back to the top

WORKAROUND

To work around this issue, click to clear the Do not require Kerberos preauthentication check box in the User Properties dialog box on the domain controller. To do this, follow these steps:
  1. In the Active Directory Users and Computers snap-in, expand Users.
  2. Right-click the affected user’s account, and then click Properties.
  3. On the Account tab, click to clear the Do not require Kerberos preauthentication check box in the Account options list, click Apply, and then click OK.
  4. Close the Active Directory Users and Computers snap-in.
  5. Verify that the affected user can successfully log on to the domain.
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Ultimate
Back to the top
Keywords: 
kberrmsg kbtshoot kbexpertiseadvanced kbprb KB938454
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations