Kerberos Authentication failed due to time skew

xmeteor

浏览: 75325 次
性别:
来自: 上海

最近访客更多访客>>

halyhuang1991

hone

武晓阳

dpl1340

博主相关

博客

微博

相册

留言

关于我

文章分类

全部博客 (47)

社区版块

存档分类

IIS Windows Microsoft Security Web

Here is a case we recently worked on about Kerberos authentication issue.

Symptoms:

Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.

Analysis:

In IIS log, it records "401 1 2148074241" that indicates the handle specified is invalid.

2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/VD/Show.aspx - 80 - 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254

In Security log, the system was receiving Event ID 537 log.

Event Type:   Failure Audit

Event Source: Security

Event Category:       (2)

Event ID:       537

Date:            4/15/2009

Time:            3:47:32 PM

User:            NT AUTHORITY\SYSTEM

Computer:     XXX

Description:

Logon Failure:

          Reason:                  An error occurred during logon

          User Name:

          Domain:

          Logon Type:   3

          Logon Process:         Kerberos

          Authentication Package:       Kerberos

          Workstation Name:   -

          Status code: 0xC000006D

          Substatus code:       0xC0000133

          Caller User Name:    -

          Caller Domain:         -

          Caller Logon ID:       -

          Caller Process ID:     -

          Transited Services:   -

          Source Network Address:    10.101.nn.nn

          Source Port: 1310

          Caller Process Name:          %16

Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.

In the network trace, we also can see

HTTP KRB Error: KRB5KRB_AP_ERR_SKEW (text/html)

The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.

Check the timestamp between client and server network traces to verify that there is 13 minutes difference.

Solution:

It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:

Verifying Computer Settings for Troubleshooting Kerberos

http://technet.microsoft.com/en-us/library/cc787535.aspx

------------------------------------------------------------------
Make sure that the clocks are synchronized across the domain.

Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.

To synchronize the computer's time with the current time on the domain

1. Click Start, and then click Run.

2. Type net time /domain /set, and then click OK.
-------------------------------------------------------------------

More information:

How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication　

http://support.microsoft.com/kb/215383/

Regards,

Anik Shen

Referrence:
http://blogs.msdn.com/b/asiatech/archive/2009/04/27/kerberos-authentication-failed-due-to-time-skew.aspx

分享到：