We have a problem with false positives in Kerberos replay detection. It happens more often than we would expect. Our KDC is Active Directory. I have come to suspect that the timestamps in the authenticators effectively have less than the microsecond granularity as specified in RFC 4120. For example, it could be that the tick of the system clock is less than a microsecond.
Can anyone confirm or refute my suspicion?
Asked
Active
Viewed 141 times
1
Karsten Spang
- 11
- 1
-
In practice, the Windows system clock has a precision of 10-16 milliseconds. – Greg Askew Jul 25 '17 at 15:47
-
Do I understand this correctly? If the AD server asks Windows for the current timestamp twice spaced by 10 ms, it is quite likely that the same timestamp will be returned? – Karsten Spang Jul 27 '17 at 07:44