1

We have a DFS share that redirects users to a EMC CIFS share. Several end users are unable to access it and get the following Kerberos Security warning:

The System Detected an attempt to compromise security

I believe it's because the Kerberos permitted clock skew on the DC's is set too low.

Where do I set this, or what other items may be the culprit?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196
  • 1
    What is the exact error message you are getting? Also you want to fix timesync, not mess with the allowed clock skew settings – Zypher Feb 01 '12 at 23:01
  • @Zypher I'll update the error message shortly. The time is within .06 seconds of the DC. I suspect a previous admin decreased this value to "increase" security – makerofthings7 Feb 01 '12 at 23:08

2 Answers2

3

If the time's within a second, then clock skew is not your issue. The most sensitive that it can be configured to is 1 minute.

That said, the setting is located within Computer Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy, "Maximum tolerance for computer clock synchronization".

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
2

Shane is right about the time skew, it is probably not your issue; the default setting is 5 minutes tolerance btw.

When talking about time-outs, be aware that the time-out value for a Kerberos v5 authentication operation is 30 seconds. This can be adjusted by the KdcWaitTime value in the following key on the Domain Controller:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]

Another issue (although uncommon in small and mid-sized forests), is the default token size limitation of 12 kilobytes. If the users token size exceeds 12K, you might also run into problems. Read more about the token size issue here

This is guesswork however, as your question doesn't really bring any valuable diagnostic information to the table

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95