RE: Time Zone change and Kerberos Auth

Raoul

The reason Windows clients/servers/domain controllers on the domain are
synced to the domain (the DC holding the PDCEmulator role to be precise) is
to maintain kerberos - the theory being that a large time difference could
indicate an attempt at a man-in-the-middle attack.

Kerberos will tolerate (by default) a time "drift" of up to 5 minutes and
still operate. This setting is set in the Default Domain Policy on every new
installation of Active Directory. As it's a GPO, the drift tolerance can be
altered - but it's not adviseable. If you do alter it, you must do so for
the entire domain.

Obviously, time sync can be selectively stopped (just stop the Windows Time
Service), and clocks can be set manually. However, once you drift beyond 5
minutes, the machine will start to behave as if it was no longer a member of
the domain. If you maintain the clocks by hand to with 5 minutes, all will
remain fine.

If you want the time to be reported differently to the application, but
still synced to the domain, you could try altering the timezone on the
offending machines to a location one hour ahead or behind your timezone and
see if that helps.

Cheers

James

James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Raoul Armfield
Sent: 08 February 2007 17:39
To: Willy Fontana
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Time Zone change and Kerberos Auth

Thanks for your response. My question had to do with the fact that the
client PC's would not have the hotfix. All the servers have the hotfix
applied and none of them would ever have it uninstalled.

Raoul

Willy Fontana wrote:
Raoul and all:

You´re right regarding the problems you could face if there is a
difference greater than 10 minutes between any pair of domain
controllers. It has to do more with synchronization than
authentication. Nevertheless, you can manually set the time on a
domain controller and eventually reapply the hotfix if that is an option.

The time service in Windows domains acts as a tree where the root is
either the first domain controller installed for a given domain or the
one holding the PDC emulator role in that domain. Every other server
and workstation synchronize their clocks (by default) based on the
mentioned DC.

You can, however, alter the default behavior of this service altering
the time server referred to by Windows. You can accomplish this using
the net time commands. Open a command prompt and type net time /? To
obtain help about this command.

I hope this is what you´re looking for.

Sincerely,

Willy Fontana


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Raoul Armfield
Sent: Thursday, February 08, 2007 1:07 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Cc: 'Sally Holt'; ckehayov@xxxxxxxx
Subject: Time Zone change and Kerberos Auth

We have a situation where we need to install a piece of software that
requires us to uninstall the ms hotfix KB928388. This of course is
the hotfix that addresses the upcoming changes in DST here in the US.
Until mid march this will not pose a problem. However, seeing how
Authentication in AD/Kerberos is tied very closely with time
synchronizations. We were wondering if there would be a problem with
removing the hotfix and manually setting the clocks on the few
machines that are affected.

My thoughts are that even if we reset the time once they synchronize
the time with the domain controllers they will go back to the hour off
and authentications will fail. Am I wrong in thinking this.

Raoul


Relevant Pages

  • Re: WDF storage driver is a dead-end street
    ... Windows 2003 and Longhorn support. ... mass storage controllers, when requests come in, I will manage the ... They will work but not pass WHQL. ...
    (microsoft.public.development.device.drivers)
  • Re: 2-15-08 windows update killed all usb
    ... My USB controllers all show up, ... P:\ Remote network ... File cache managed by Windows ... resore, and it wouldn't, tried uninstall, but it won't uninstall ...
    (microsoft.public.windowsupdate)
  • Re: Coexistance of Windows 2000 and Windows 2003
    ... the domain controllers, we saw the master browser issue come up repeatedly ... first 2003 server doesn't just suddenly take over all of the master roles ... default Windows 2003 server starts out with, then you may have an issue... ... this is Security related as far as crashing an AD is a security problem, ...
    (Focus-Microsoft)
  • Any Windows CE devices that can replace PLCs?
    ... Windows CE based "controllers" used for industrial applications? ... powerful solution that goes beyond typical ladder logic programming. ...
    (microsoft.public.dotnet.framework.compactframework)
  • Any Windows CE devices that can replace PLCs?
    ... Windows CE based "controllers" used for industrial applications? ... powerful solution that goes beyond typical ladder logic programming. ...
    (microsoft.public.windowsce.embedded)
Quantcast