e-data field in KRB-ERROR from microsoft clients when ERR_SKEW is issued

JC Ferguson jc at acopia.com
Sun Sep 17 23:31:11 EDT 2006

Hi - When a WindowsXP client who's clock is skewed beyond the configured toleration connects to a Microsoft Windows 2000 server, the return is a KRB-ERROR message with all the fixings.  However, I cannot interpret the e-data field.  I am consistently getting a byte sequence of :

ac 09 04 07 30 05 a1 03 02 01 02

which I intepret as

 [12] {
       30 05 a1 03 02 01 02

and this appears to contain another sequence of bytes:
     [1] {
        02 01 02

Any ideas what the format is supposed to be for e-data when the client's clock is skewed?  Google has plenty of references for what e-data needs to be for other errors, but i'm coming up empty for ERR_SKEW.  It can't be a hint about the time because the server's time is in the KRB-ERROR.  

Also, curiously enough, even though the time is skewed, the client is able to eventually connect - this is puzzling as I checked the system time after successful connect and it was still skewed.  Any ideas on that one also please?  This behavior is not the case when the OS is Win2003 server (it does not permit the connection in timeskew situations).


More information about the krbdev mailing list