Kerberos authentication and Time Skew: does not always work
JC Ferguson
jc at acopia.com
Tue Sep 4 09:56:11 EDT 2007
> > Ok - but why does a clock skewed client work fine when the
> service host is windows? Also, i have noticed a similar,
> succcessful behavior for Netapp NAS devices.
> >
> > Thank you,
> > /jc
>
> It shouldn't matter what the service host is as long as the
> service host clock is synchronized with the KDC. If the
> service host clock is not synchronized with the KDC, Kerberos
> will not work.
I agree. But, for me, it is not working. The service host I am
developing uses the MIT KRB5 1.3.6 library and it is not able to
authenticate a skewed client with any sort of reliability (50% success
rate), even when its clock is in sycn with the KDC. Given MS Windows,
in the capacity of a service host, can authenticate a skewed client with
100% success, I am wondering what I am doing wrong in my application of
the MIT krb library. Or, if there is yet-to-be-implemented code in the
library to deal with time skewed clients.
/jc
--------------------------------------------------------------------------------
The information contained in this e-mail is confidential and is intended solely
for the review of the named addressee, and in conjunction with specific Acopia
Networks business. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you are unable to
treat this information accordingly, or are not the intended recipient, please
notify us immediately by returning the e-mail to the originator.
More information about the krbdev
mailing list