Kerberos authentication and Time Skew: does not always work

JC Ferguson jc at
Tue Sep 4 09:56:11 EDT 2007

> > Ok - but why does a clock skewed client work fine when the 
> service host is windows?  Also, i have noticed a similar, 
> succcessful  behavior for Netapp NAS devices.
> > 
> > Thank you,
> > /jc
> It shouldn't matter what the service host is as long as the 
> service host clock is synchronized with the KDC.  If the 
> service host clock is not synchronized with the KDC, Kerberos 
> will not work.

I agree.  But, for me, it is not working.  The service host I am
developing uses the MIT KRB5 1.3.6 library and it is not able to
authenticate a skewed client with any sort of reliability (50% success
rate), even when its clock is in sycn with the KDC.  Given MS Windows,
in the capacity of a service host, can authenticate a skewed client with
100% success, I am wondering what I am doing wrong in my application of
the MIT krb library.  Or, if there is yet-to-be-implemented code in the
library to deal with time skewed clients.  


The information contained in this e-mail is confidential and is intended solely 
for the review of the named addressee, and in conjunction with specific Acopia 
Networks business. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you are unable to 
treat this information accordingly, or are not the intended recipient, please 
notify us immediately by returning the e-mail to the originator.

More information about the krbdev mailing list