Kerberos authentication and Time Skew: does not always work

Jeffrey Altman jaltman at
Tue Sep 4 00:42:21 EDT 2007

JC Ferguson wrote:
> I understand the basic technique/theory behind allowing a client to have
> skew as described in RFC 4120 and in more detail the DGT96 reference in
> the RFC.  I'm not sure how much of this is already implemented in the
> MIT library, whether or not there is a compile-time option I forgot to
> set to get it to work, or whether or not there is a krb5.conf option I
> can set, etc.

The ability to perform skew adjustment in the client when the KDC and
service host are timed synchronized but the client is not requires the
ability to store time offset information for the tickets in the
credential cache.  The MSLSA and API credential caches on Windows do
not support this.

Jeffrey Altman
Secure Endpoints Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list