Client Time Changing Wildly - Win2K using MIT KDC

Jason C. Wells jcwells1 at highperformance.net
Sun Apr 6 00:18:16 EST 2003


I can't login to Win2K using an MIT KDC.  It appears that the Win2K code
is reporting time wrongly in a very bizarre way.

If Turbo Fredrikson or Tony Hoyle are reading this, I sure would like to
know what resolution you guys came up with on this from last September's
thread on this subject.

In the messages below note that the Server Time changed by 1.5 hours but
that the reported Client Time changed by 60 _YEARS_.  The 1.5 hours was
spent upgrading my servers from 1.2.5 to 1.2.7.

Here is the Win2K log from my recent Win2K login attempt:

Event Type:	Error
Event Source:	Kerberos
Event Category:	None
Event ID:	4
Date:		4/5/2003
Time:		8:57:41 PM
User:		N/A
Computer:	WORKSTATION
Description:
The function InitializeSecurityContext received a Kerberos Error Message:
         on logon session
 Client Time: 12:47:51.0000 7/31/1976 Z
 Server Time: 4:57:40.0000 4/6/2003 (null)
 Error Code: 0x3c KRB_ERR_GENERIC
 Client Realm: HPN
 Client Name: jcw
 Server Realm: HPN
 Server Name: host/workstation.highperformance.net
 Target Name: host/workstation.highperformance.net at HPN
 Error Text: Generic error (see e-text)
 File:
 Line:
 Error Data is in record data.


And here is an error from a login made only a little while ago:

Event Type:	Error
Event Source:	Kerberos
Event Category:	None
Event ID:	4
Date:		4/5/2003
Time:		7:27:43 PM
User:		N/A
Computer:	WORKSTATION
Description:
The function InitializeSecurityContext received a Kerberos Error Message:
         on logon session
 Client Time: 11:22:53.0000 12/21/2036 Z
 Server Time: 3:27:35.0000 4/6/2003 (null)
 Error Code: 0x3c KRB_ERR_GENERIC
 Client Realm: HPN
 Client Name: jcw
 Server Realm: HPN
 Server Name: host/workstation.highperformance.net
 Target Name: host/workstation.highperformance.net at HPN
 Error Text: Generic error (see e-text)
 File:
 Line:
 Error Data is in record data.

I use W32Time and NTP to keep my clocks synched.  Time on windows is
within 1 second of time on the KDC.

The KDC shows a successful AS_REQ:

Apr 05 19:19:32 server1.highperformance.net krb5kdc[179](info): AS_REQ (7
etypes {23 -133 -128 3 1 24 -135}) 192.168.1.13(88): ISSUE: authtime
1049599172, etypes {rep=3 tkt=16 ses=1}, jcw at HPN for krbtgt/HPN at HPN

The KDC shows a failed TGS_REQ, due to failed PREAUTH, presumably due to
buggered timestamp.

Apr 05 19:19:32 server1.highperformance.net krb5kdc[179](info): TGS_REQ (7
etypes {23 -133 -128 3 1 24 -135}) 192.168.1.13(88): NO PREAUTH: authtime
1049599172, jcw at HPN for host/workstation.highperformance.net at HPN, Generic
error (see e-text)

I can use kerberos to login to the shell (from the Win2K box in question)
that I am using to write this message.

I have no idea how to explain or fix this.  To me, this looks like a
genuine bug.  Does anyone have an idea how I might get this working?

Thank you,
Jason C. Wells



More information about the Kerberos mailing list