Kerberos authentication and Time Skew: does not always work

Jeffrey Altman jaltman at
Wed Sep 5 14:58:07 EDT 2007

Danilo Almeida wrote:
> JC,
> See:
> <quote>
> I was trying to figure out how Windows clients and servers deal with clock
> skew a little while back.  My memory of the details might be a little off,
> but the gist should be correct:
>>From my observations, the MS SSPI handles time skew between a client and a
> server by using the stime/susec in the KRB_ERROR response to continue the
> SSPI exchange w/an updated time in the authenticator.  In the scenario I was
> observing, it looked like that, on a KRB_AP_ERR_SKEW, the client continued
> the re-issued the KRB_AP_REQ with a new authenticator using the KRB_ERROR's
> stime/susec in the authenticator's ctime/cusec.
> </quote>
> So the MS server return the time skew error along with the server time.
> Then the client can re-issue the auth request using the server's time info
> (generating a new authenticator using the timestamp).
> I have not looked at the relevant krb5 library code to see whether/how it
> could be modified to handle this.
> - Danilo

In other words, in order to make MIT Kerberized services work with
Microsoft clients, the service should include the current clock time
in the KRB_ERROR response.

Making the MIT Kerberized clients work with Microsoft services would
need to look for a server time in the KRB_ERROR and then retry the
request.  This might require the assistance of the application.  I need
to look at the code closer.

Jeffrey Altman

More information about the krbdev mailing list