Kerberos authentication and Time Skew: does not always work

Jeffrey Altman jaltman at
Tue Sep 4 10:25:29 EDT 2007

JC Ferguson wrote:
>>> Ok - but why does a clock skewed client work fine when the 
>> service host is windows?  Also, i have noticed a similar, 
>> succcessful  behavior for Netapp NAS devices.
>>> Thank you,
>>> /jc
>> It shouldn't matter what the service host is as long as the 
>> service host clock is synchronized with the KDC.  If the 
>> service host clock is not synchronized with the KDC, Kerberos 
>> will not work.
> I agree.  But, for me, it is not working.  The service host I am
> developing uses the MIT KRB5 1.3.6 library and it is not able to
> authenticate a skewed client with any sort of reliability (50% success
> rate), even when its clock is in sycn with the KDC.  Given MS Windows,
> in the capacity of a service host, can authenticate a skewed client with
> 100% success, I am wondering what I am doing wrong in my application of
> the MIT krb library.  Or, if there is yet-to-be-implemented code in the
> library to deal with time skewed clients.  
> /jc

The client has to be synchronized as well OR the client has to
have support for computing clock skew and applying the difference.
Otherwise the times will be off and the authentication will fail.

Build your service with a debug version of the Kerberos libraries
and trace through where the time skew error is being returned.

You can modify the acceptable clock skew period with the "clockskew"
option in krb5.conf.

Jeffrey Altman

More information about the krbdev mailing list