Kerberos authentication and Time Skew: does not always work
dalmeida at MIT.EDU
Tue Sep 4 12:04:06 EDT 2007
I was trying to figure out how Windows clients and servers deal with clock
skew a little while back. My memory of the details might be a little off,
but the gist should be correct:
>From my observations, the MS SSPI handles time skew between a client and a
server by using the stime/susec in the KRB_ERROR response to continue the
SSPI exchange w/an updated time in the authenticator. In the scenario I was
observing, it looked like that, on a KRB_AP_ERR_SKEW, the client continued
the re-issued the KRB_AP_REQ with a new authenticator using the KRB_ERROR's
stime/susec in the authenticator's ctime/cusec.
So the MS server return the time skew error along with the server time.
Then the client can re-issue the auth request using the server's time info
(generating a new authenticator using the timestamp).
I have not looked at the relevant krb5 library code to see whether/how it
could be modified to handle this.
More information about the krbdev