1

I have ASP.NET 2.0 site configured to perform Windows Integrated Security using Kerberos delegation. The servers including DC are running on Windows 2003 and the delegation is raised to Windows 2003 level.

BTW, all servers are set to EST

The authentication work well and suddenly server writes a LsaSrv warning event (event id 40960) in System log complaining about time difference between the servers. During this time the clients get a 401.2 message for all requests. After 20-30 mins, the auth starts working "magically"

I ran a wireshark and fiddler trace and found that the timestamp in the response header is in GMT even though the server is configured in EST. I'm not sure how this is picked up. any ideas?

Any other suggestions are much appreciated.

G33kKahuna
  • 289
  • 1
  • 4
  • 10

4 Answers4

2

GMT and EST is not likely the problem.

Kerberos requires that all participants have a clock that is within 5 minutes of each other. I suspect you need to ensure that the servers and clients all have a time that is within that window.

I use NTP, personally, even on windows. There is probably a "windows way" though.

Michael Graff
  • 6,588
  • 1
  • 23
  • 36
1

Thanks for the guidance. We opened a call with Microsoft and they were able to narrow it down to kerberos ticket expiration bug. The call was opened on 2/10 and hotfix was provided. So, far no issues were reported.

Below is the support link,

http://support.microsoft.com/default.aspx?scid=kb;EN-US;979159

Dave M
  • 4,494
  • 21
  • 30
  • 30
G33kKahuna
  • 289
  • 1
  • 4
  • 10
0

go to run type regedit -HKEY_USERS.DEFAULT\Control Panel\International

on right side change, sShortDate modify to dd-MM-yyyy

restart a IIS

Manoj Gawai
  • 1
0

Kerberos is extremely time sensitive - you need to make sure that the time on the IIS server matches your Domain Controller's time.

This article How Windows Time Service Works has a basic overview.

First, you need to make sure your PDC emulator's time is correct How to configure an authoritative time server in Windows Server

Next, on the IIS Server, set it to sync with the domain: Configure a client computer for automatic domain time synchronization.

That should do it.

Christopher_G_Lewis
  • 3,647
  • 21
  • 27
  • Note that domain members will perform time sync with a DC by default, the only reason to mess with this is to revert the Windows Time service to its default settings in the event that someone else has messed with it previously. – ThatGraemeGuy Feb 23 '10 at 15:34