Kerberos authentication and Time Skew: does not always work

JC Ferguson jc at
Tue Sep 4 07:29:57 EDT 2007

Ok - but why does a clock skewed client work fine when the service host is windows?  Also, i have noticed a similar, succcessful  behavior for Netapp NAS devices.

Thank you,

-----Original Message-----
From: "Jeffrey Altman" <jaltman at>
To: "JC Ferguson" <jc at>
Cc: krbdev at
Sent: 9/4/2007 0:42
Subject: Re: Kerberos authentication and Time Skew: does not always work

JC Ferguson wrote:
> I understand the basic technique/theory behind allowing a client to have
> skew as described in RFC 4120 and in more detail the DGT96 reference in
> the RFC.  I'm not sure how much of this is already implemented in the
> MIT library, whether or not there is a compile-time option I forgot to
> set to get it to work, or whether or not there is a krb5.conf option I
> can set, etc.

The ability to perform skew adjustment in the client when the KDC and
service host are timed synchronized but the client is not requires the
ability to store time offset information for the tickets in the
credential cache.  The MSLSA and API credential caches on Windows do
not support this.

Jeffrey Altman
Secure Endpoints Inc.

[truncated by sender]

The information contained in this e-mail is confidential and is intended solely 
for the review of the named addressee, and in conjunction with specific Acopia 
Networks business. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you are unable to 
treat this information accordingly, or are not the intended recipient, please 
notify us immediately by returning the e-mail to the originator.

More information about the krbdev mailing list