No announcement yet.

Removing time synchronization constraints from Kerberos authentication

  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing time synchronization constraints from Kerberos authentication

    Hello all,

    I have an interesting challenge to figure out. We have a test lab with a number of boxes running quite a few virtual servers all of which are Windows 2003 images, and all of which are part of a domain. This domain is basically only services the testing environments, and thus I can change it and relax any security settings I need to. The environment is secure and thus security is not a big concern.

    The problem is that much of the testing involves running things "over time" which is synthetically simulated by changing the system clock (i.e. run X, change time, run Y, change time, etc.).

    Obviously, as soon as the scripts change the system time, Kerberos begins to fail killing the tests. The maximum date difference will be two weeks before and after the current system date. Thus, I set the Max lifetime for service ticket, lifetime for user ticket, lifetime for user ticket and renewel, and max tolerance for computer clock synch to values that would be large enough to not fail the ticket. This works when the client clocks are "ahead" of the DC clock, but when they are "behind" then I get KRB_AP_ERR_TKT_NYV Kerberos failures.

    Does anyone have any ideas how I can get around this? I am up for creative solutions, but I don't really want to remove AD, because I use for its other services (besides security).

    What about reverting back to NTLM authentication is that possible?

    Surely, other people who have to test time sensitive software have run into similar issues...hopefully

    Thanks in advance for any help anyone can provide!


  • #2
    Re: Removing time synchronization constraints from Kerberos authentication

    If your application is capable and the AD is set to allow it you can revert to NTLM authentication but I would seriously consider coupling this with Windows-based IPSEC filtering to ensure a modicum of safety between client and server.

    There is no way to omit the time constraints from Kerberos; it uses the date and time in the process of authentication and in the process of manufacturing tickets... if the date and time are wrong the tickets manufactured are invalid to everyone else.

    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you


    • #3
      Re: Removing time synchronization constraints from Kerberos authentication

      Thanks for the info! How can I revert back to NTLM- do you have a link? I have tried searching, but all I get is a description of the difference between NTLM and Kerberos or a description of Mixed Mode.

      Thanks again!


      • #4
        Re: Removing time synchronization constraints from Kerberos authentication

        Use group policy for the same:

        Computer configuration\Windows Settings\Security Settings\Local Policies\Security Options:

        Network Security:Lan Manager authentication level

        Change it.
        Kapil Sharma
        Life is too short, Enjoy It.


        • #5
          Re: Removing time synchronization constraints from Kerberos authentication

          Ok- so just so I'm clear, because I am not an inexperienced AD admin-

          I am changing the security policy on the DC to (0) - Use LM and NTLM only, and then changing the policy on the policy for the clients (all of my clients are in one OU, so I can assign it here, right) to use LM and NTLM.

          I am slightly confused on the verbiage here though- which protocol is used with Kerberos? I.e. if I set it to use LM and NTLM will it not still attempt to authenticate using Kerberos protocol? How would I force it to not use Kerberos?

          Thanks so much for the help!


          • #6
            Re: Removing time synchronization constraints from Kerberos authentication

            As far as I know, there is no way to fully disable Kerberos in AD environment.

            As for your problem, there is more info needed:

            - do you reboot the member server after shifting its clock ?
            - what are the exact steps to reproduce the behavior you are observing ?

            I am not totally sure, but I expect that what is going on is something like:

            1) user requests the ticket
            2) TGT is stamped with X
            3) computer clock is shifted so that the time the TGT was issued is in the future, and the ticket is flaged as INVALID

            The way to work this around should be to reboot the member server and re-login or purge/renew the Kerberos tickets after the clock shift.
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"