Kerberos authentication and Time Skew: does not always work

Sam Hartman hartmans at MIT.EDU
Tue Sep 4 15:57:41 EDT 2007

>>>>> "Jeffrey" == Jeffrey Altman <jaltman at> writes:

    Jeffrey> JC Ferguson wrote:
    >> I understand the basic technique/theory behind allowing a
    >> client to have skew as described in RFC 4120 and in more detail
    >> the DGT96 reference in the RFC.  I'm not sure how much of this
    >> is already implemented in the MIT library, whether or not there
    >> is a compile-time option I forgot to set to get it to work, or
    >> whether or not there is a krb5.conf option I can set, etc.

    Jeffrey> The ability to perform skew adjustment in the client when
    Jeffrey> the KDC and service host are timed synchronized but the
    Jeffrey> client is not requires the ability to store time offset
    Jeffrey> information for the tickets in the credential cache.  The
    Jeffrey> MSLSA and API credential caches on Windows do not support
    Jeffrey> this.

It's important to note that is not what SMB is doing based on the
protocol traces being reported.

More information about the krbdev mailing list