Kerberos Authentication failed due to time skew

Here is a case we recently worked on about Kerberos authentication issue.



Symptoms:

Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.



Analysis:

In IIS log, it records "401 1 2148074241" that indicates the handle specified is invalid.

2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/VD/Show.aspx - 80 - 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254



In Security log, the system was receiving Event ID 537 log.




Event Type:   Failure Audit

Event Source: Security

Event Category:       (2)

Event ID:       537

Date:            4/15/2009

Time:            3:47:32 PM

User:            NT AUTHORITY\SYSTEM

Computer:     XXX

Description:

Logon Failure:

          Reason:                  An error occurred during logon

          User Name: 

          Domain:                

          Logon Type:   3

          Logon Process:         Kerberos

          Authentication Package:       Kerberos

          Workstation Name:   -

          Status code:  0xC000006D

          Substatus code:       0xC0000133

          Caller User Name:    -

          Caller Domain:         -

          Caller Logon ID:       -

          Caller Process ID:     -

          Transited Services:   -

          Source Network Address:    10.101.nn.nn

          Source Port:  1310

          Caller Process Name:          %16




Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”.  The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.



In the network trace, we also can see

HTTP  KRB Error: KRB5KRB_AP_ERR_SKEW (text/html)

The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.



Check the timestamp between client and server network traces to verify that there is 13 minutes difference.



Solution:



It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:



Verifying Computer Settings for Troubleshooting Kerberos

http://technet.microsoft.com/en-us/library/cc787535.aspx


------------------------------------------------------------------
Make sure that the clocks are synchronized across the domain.

Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.

To synchronize the computer's time with the current time on the domain



1.    Click Start, and then click Run.

2.    Type net time /domain /set, and then click OK.
-------------------------------------------------------------------



More information:



How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication　

http://support.microsoft.com/kb/215383/



Regards,



Anik Shen

Referrence:
http://blogs.msdn.com/b/asiatech/archive/2009/04/27/kerberos-authentication-failed-due-to-time-skew.aspx