Kerberos authentication and Time Skew: does not always work
jaltman at secure-endpoints.com
Wed Sep 5 14:58:07 EDT 2007
Danilo Almeida wrote:
> I was trying to figure out how Windows clients and servers deal with clock
> skew a little while back. My memory of the details might be a little off,
> but the gist should be correct:
>>From my observations, the MS SSPI handles time skew between a client and a
> server by using the stime/susec in the KRB_ERROR response to continue the
> SSPI exchange w/an updated time in the authenticator. In the scenario I was
> observing, it looked like that, on a KRB_AP_ERR_SKEW, the client continued
> the re-issued the KRB_AP_REQ with a new authenticator using the KRB_ERROR's
> stime/susec in the authenticator's ctime/cusec.
> So the MS server return the time skew error along with the server time.
> Then the client can re-issue the auth request using the server's time info
> (generating a new authenticator using the timestamp).
> I have not looked at the relevant krb5 library code to see whether/how it
> could be modified to handle this.
> - Danilo
In other words, in order to make MIT Kerberized services work with
Microsoft clients, the service should include the current clock time
in the KRB_ERROR response.
Making the MIT Kerberized clients work with Microsoft services would
need to look for a server time in the KRB_ERROR and then retry the
request. This might require the assistance of the application. I need
to look at the code closer.
More information about the krbdev