Announcement

Collapse
No announcement yet.

Time differeces between clients and server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Time differeces between clients and server

    i have got a time differences problem betwen clients and server. i have been experiencing this problem for a long time and i couldnt solve this. and my clients cant logon to server. how can i solve this? thanks alot
    Nothing...

  • #2
    Re: Time differeces between clients and server

    How to configure an authoritative time server in Windows XP:

    http://support.microsoft.com/kb/314054

    A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet:

    http://support.microsoft.com/kb/262680

    I do the following when I set up a machine and time seems not to drift even after months w/out a reboot:

    net time /setsntp:<time server IP>

    net stop w32time
    net start w32time

    w32tm /resync

    Hope that gets you started.
    Cheers,

    Rick

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

    Comment


    • #3
      Re: Time differeces between clients and server

      i will try them... thanks alot
      Nothing...

      Comment


      • #4
        Re: Time differeces between clients and server

        Why not add a line of code to your logon batch file that syncs the time with the logon server.

        net time %LOGONSERVER% /set /y

        This should cure any problems you have short term.

        Longer term you could implement a time server but to be honest i don't use one.

        Comment


        • #5
          Re: Time differeces between clients and server

          If you just do the "net time %LOGONSERVER% /set /y" and you leave your boxes logged on forever or "lights out" (no logons), you may see some drift.

          I do a lot of work in processing plants and have some time stamp critical n-tier collector / server boxes. Things get all mucked up if the times on all the boxes aren't the same.

          Probably overkill for the original poster but it does ensure the problem doesn't happen. If all the machines can see the internet, use a SNTP source on the web in your region.
          Cheers,

          Rick

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

          Comment


          • #6
            Re: Time differeces between clients and server

            Originally posted by rvalstar View Post
            If you just do the "net time %LOGONSERVER% /set /y" and you leave your boxes logged on forever or "lights out" (no logons), you may see some drift.

            I do a lot of work in processing plants and have some time stamp critical n-tier collector / server boxes. Things get all mucked up if the times on all the boxes aren't the same.

            Probably overkill for the original poster but it does ensure the problem doesn't happen. If all the machines can see the internet, use a SNTP source on the web in your region.
            Your correct but depending on the OP's circumstances they may NOT need the added time server.

            Again the fix i posted will allow the OP users to keep within the 5 min windows for Windows logons.

            Comment


            • #7
              Re: Time differeces between clients and server

              I am interested to hear from mncicek on what kind of time deltas he / she was experiencing between client and server and as well as any speculation / anecdotal evidence / conclusion as to why a client couldn't log on w/ a time delta present.
              Last edited by rvalstar; 6th November 2006, 21:50. Reason: spell check
              Cheers,

              Rick

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

              Comment


              • #8
                Re: Time differeces between clients and server

                Originally posted by rvalstar View Post
                I am interested to hear from mncicek on what kind of time deltas he / she was experiencing between client and server and as well as any speculation / anecdotal evidence / conclusion as to why a client couldn't log on w/ a time delta present.
                From memory there should be no more than a maximum of 5mins between the server and client before authentication fails.

                Comment


                • #9
                  Re: Time differeces between clients and server

                  Just took a workstation on one of the top 10 Fortune Global 500 company's networks and jacked the time down by an hour. Was able to log on without issue.

                  So where does the 5 minutes come into play?

                  Now I should note logging on locally did not change the time but logging on through a domain account did. Still, if this company's logon script is fixing the time, it had to get past authentication for that to occur.

                  Just trying to learn.
                  Last edited by rvalstar; 6th November 2006, 22:10. Reason: added more info
                  Cheers,

                  Rick

                  ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                  © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                  Comment


                  • #10
                    Re: Time differeces between clients and server

                    I knew it had something to do with Kerberos.

                    Quote from here

                    http://searchwindowssecurity.techtar...014049,00.html

                    Kerberos time sensitivity

                    Time is a critical service in Windows 2000 and Windows Server 2003. Timestamps are needed for directory replication conflict resolution, but also for Kerberos authentication. Kerberos uses timestamps to protect against replay attacks. Computer clocks that are out of sync between clients and servers can cause authentication to fail or extra authentication traffic to be added during the Kerberos authentication exchange.

                    To illustrate the importance of time for Kerberos authentication, let's look at what really happens during a KRB_AP_REQ and KRB_AP_REP Kerberos exchange:


                    1. A client uses the session key it received from the KDC to encrypt its authenticator. The authenticator is sent out to a resource server together with the ticket.

                    2. The resource server compares the timestamp in the authenticator with its local time. If the time difference is within the allowed time skew, it goes to step (4). By default, the maximum allowed time skew is 5 minutes—this setting can be configured through domain-level GPOs.

                    3. If step (2) failed, the resource server sends its local current time to the client. The client then sends a new authenticator using the new timestamp it received from the resource server.

                    4. The resource server compares the timestamp it received from the client with the entries in its "replay cache" (this is a list of recently received timestamps). If it finds a match, the client's authentication request will fail. If no match is found, client authentication has succeeded, and the resource server will add the timestamp to its replay cache.

                    The service responsible for time synchronization between Windows 2000, Windows XP, and Windows Server 2003 computers is the Windows Time Synchronization Service (W32time.exe). The Windows time service is compliant with the Simple Network Time Protocol (SNTP) as defined in RFC 1769 (available from http://www.ietf.org/rfcs/rfc1769.txt). SNTP makes sure that the computer clocks are within 20 seconds of each other. A protocol that can provide more accurate time synchronization than SNTP is the Network Time Protocol (NTP). NTP is defined in RFC 1305 (available from http://www.ietf.org/rfcs/rfc1305.txt). Because the Windows 2000 AD replication and Kerberos do not require the level of time accuracy offered by NTP, the Windows developers decided to implement the SNTP protocol as the time protocol for Windows 2000 and later OSs.

                    Comment


                    • #11
                      Re: Time differeces between clients and server

                      Great find.

                      My use of anything from mythology has been a disaster so I would naturally stay away from Kerberos. Long ago I named as server "Thor" after the Norse god of thunder. Later I got a bigger box I named Zeus, the ruler of Mount Olympus. After it was explained to me that I really couldn't keep the theme going mixing Norse with Greek gods, I soured on the whole mythology thing

                      I take it my obscenely profitable client isn't using Kerberos? How do I verify that?

                      And the follow on question: Has mncicek been bitten by the Kerberos dog?
                      Cheers,

                      Rick

                      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                      © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                      Comment


                      • #12
                        Re: Time differeces between clients and server

                        I don't know if this will help you

                        http://www.microsoft.com/technet/pro.../kerberos.mspx

                        Comment


                        • #13
                          Re: Time differeces between clients and server

                          Per that link:

                          Defaulting to Kerberos

                          NT LAN Manager is the authentication protocol used in Windows NT and in Windows 2000 work group environments. It is also employed in mixed Windows 2000 Active Directory domain environments that must authenticate Windows NT systems. At the stage Windows 2000 is converted to native mode where no down-level Windows NT domain controllers exist, NT LAN Manager is disabled. Kerberos then becomes the default authentication technology for the enterprise.
                          So it is quite possible my client is running mixed mode therefore no issue when I set the time back.

                          mncicek probably doesn't have an NT history at his / her site so Kerberos would be the default.

                          I'll have to pop in my domain disks here at the flat (removable drive trays let me turn few computers into many configurations). I ran a domain here for a while till it proved too cumbersome. Looks like I'll fire it up again this week just to confirm all this.

                          Thanks again for the great find.
                          Cheers,

                          Rick

                          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                          © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                          Comment


                          • #14
                            Re: Time differeces between clients and server

                            Our apologies to mncicek for the slight deviation from your question but it is a quest for a solution to the time problem. As too was this post some time ago. Might be worth a read? It is certainly interesting.
                            1 1 was a racehorse.
                            2 2 was 1 2.
                            1 1 1 1 race 1 day,
                            2 2 1 1 2

                            Comment


                            • #15
                              Re: Time differeces between clients and server

                              Well then, back to the original question on solving the time differences problem betwen clients and server...

                              We have the SNTP approach but it requires Internet access or a local time server to work. We also have the "net time %LOGONSERVER% /set /y" in the logon script which looks ideal as long as folks logon once in a while. So how do we get the time skew within the Kerberos 5 minute window so we can logon the first time and execute that "net time" command in our logon script? If we're outside that 5 minute window Kerberos is going to prevent us from logging on, correct? Kind of a chicken and egg problem.

                              I see 3 possibilities to get past that first logon:

                              1) Manually set each client's clock to the current time. Could be a logistics issue and a general pain.

                              2) Implement the SNTP approach. Requires the pain of running something on each client plus the necessary access to a time server.

                              3) Relax the 5 minute Kerberos limit till everyone logs on and we get the times sorted. Looks like a possibility. Here's what I found:
                              • Manually disable Kerberos on a user by user basis:

                                http://www.microsoft.com/technet/pro.../kerberos.mspx

                                Example AS Administration

                                The AS request identifies the client to the KDC in plain text. If preauthentication is enabled, a time stamp will be encrypted using the user's password hash as an encryption key. If the KDC reads a valid time when using the user's password hash (stored in the Active Directory) to decrypt the time stamp, the KDC knows that request isn't a replay of a previous request. The preauthentication feature may be disabled for specific users in order to support some applications that don't support the security feature. Access the user account from the Active Directory users and the computers will snap-in and select the account tab. From the account options: slide window, check mark the "Do not require Kerberos" preauthentication option (Figure 2).


                              or
                              • Add a registry value on the server to relax the allowable time skew to ???. This will require a server reboot.

                                http://support.microsoft.com/kb/837361/

                                Registry entries and values under the Parameters key
                                The registry entries that are listed in this section must be added to the following registry subkey:

                                HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\Kerberos\Parameters

                                Note If the Parameters key is not listed under Kerberos, you must create the key.

                                • Entry: SkewTime
                                Type: REG_DWORD
                                Default Value: 5 (minutes)

                                This value is the maximum time difference that is permitted between the client computer and the server that accepts Kerberos authentication. In Windows 2000 checked build version, the default SkewTime value is 2 hours.


                              Haven't tried any of this yet so, as always, proceed at your own risk. I'm trying to get a set up together today to try all this out but billable work is taking precedence.

                              Hope this helps.
                              Cheers,

                              Rick

                              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                              © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                              Comment

                              Working...
                              X