Printable View
Gurus,
I have one Active Directory 2003 DC and one Windows XP client joined to it's
domain. The time zone of both servers is EDT, but even though the actual
time on the client is more than 5 minutes off from that on the DC, the
client is STILL able to login to the domain and STILL able to access file
shares setup on the DC. I thought the Kerberos 5-minute time skew prevented
this?
--
Spin
Howdie!
Spin wrote:
> I have one Active Directory 2003 DC and one Windows XP client joined to it's
> domain. The time zone of both servers is EDT, but even though the actual
> time on the client is more than 5 minutes off from that on the DC, the
> client is STILL able to login to the domain and STILL able to access file
> shares setup on the DC. I thought the Kerberos 5-minute time skew prevented
> this?
Check auditing on the DCs and make sure it is actually kerberos that
authentication handles - could be NTLM as well if kerberos temporarely
not available or the resources are accessed using the server's IP.
Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:uCW2y9aoJHA.4896@TK2MSFTNGP05.phx.gbl...
> Howdie!
> Check auditing on the DCs and make sure it is actually Kerberos that
> authentication handles - could be NTLM as well if Kerberos temporarily not
> available or the resources are accessed using the server's IP.
Florian,
Thx. I checked auditing on the DC and made sure it is using Kerberos. It
shows that in the logon details as I scroll the security log. I guess my
question then is how to force it to use Kerberos and not NTLM? Where do I
configure that?
Howdie!
Spin wrote:
> Thx. I checked auditing on the DC and made sure it is using Kerberos.
> It shows that in the logon details as I scroll the security log. I
> guess my question then is how to force it to use Kerberos and not NTLM?
> Where do I configure that?
I'm afraid I can't follow. What did the event log show?
Kerberos is used by default. NTLM is used only in cases Kerberos is
unavailable (Server busy, IP used instead of server name, ..)
You need to look at it from the other side: what are the reasons it uses
NTLM instead of kerberos? Eliminate those reasons and it'll go fine with
krb.
Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:ePU2IKcoJHA.504@TK2MSFTNGP06.phx.gbl...
> I'm afraid I can't follow. What did the event log show?
> Kerberos is used by default. NTLM is used only in cases Kerberos is
> unavailable (Server busy, IP used instead of server name, ..)
>
> You need to look at it from the other side: what are the reasons it uses
> NTLM instead of kerberos? Eliminate those reasons and it'll go fine with
These two systems are on the same subnet. They are the only two systems on
the subnet and the only two systems on the network. In the Security log of
the DC, if I go line by line thru the all events, "Kerberos" is all over the
details and in the details of each event (event type is "success") - saying
that the client used Kerberos authentication and what not. I have *no*
failures anywhere - no errors at all. And this is odd b/c the time is off
by 8 minutes between client and server - I did this on purpose so that I
could see either (1) a failure of the client to login to the DC or (2)
failure of the client to access a file share on the DC.
Usually, people post to this newsgroup b/c something is going wrong. In my
case, I am posting b/since everything is going right - when it shouldn't
be!!! :)
Unless you have modified the settings (At least if I recall correctly you
can change the time diffrence value) you must not be monitoring the correct
dc since this machine won't be able to authenticate nor will the user trying
to gain access to the domain.
You can review the tickets and other kerberos settings. Check out the
available tools and Event number s at:
http://technet.microsoft.com/en-us/l.../cc738673.aspx
Also verify you aren't gaining access via cached credentials. Although that
doesn't sound like it is the case since you have access to domain resources.
My one thought is NTLM. Disabling NTLM authentication would quickly prove
whether or not you are using kerberos, but you might break a whole lot of
other stuff in the process. I would discourage you from attempting it.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Spin" <Spin@invalid.com> wrote in message
news:71njeqFlqmaqU1@mid.individual.net...
> Gurus,
>
> I have one Active Directory 2003 DC and one Windows XP client joined to
> it's domain. The time zone of both servers is EDT, but even though the
> actual time on the client is more than 5 minutes off from that on the DC,
> the client is STILL able to login to the domain and STILL able to access
> file shares setup on the DC. I thought the Kerberos 5-minute time skew
> prevented this?
>
> --
> Spin
>
"Paul Bergson [MVP-DS]" <pbbergs@nopspam_msn.com> wrote in message
news:064384E5-6147-4587-9845-974935EABAA5@microsoft.com...
> Unless you have modified the settings (At least if I recall correctly you
> can change the time diffrence value) you must not be monitoring the
> correct dc since this machine won't be able to authenticate nor will the
> user trying to gain access to the domain.
>
> You can review the tickets and other kerberos settings. Check out the
> available tools and Event number s at:
> http://technet.microsoft.com/en-us/l.../cc738673.aspx
>
> Also verify you aren't gaining access via cached credentials. Although
> that doesn't sound like it is the case since you have access to domain
> resources. My one thought is NTLM. Disabling NTLM authentication would
> quickly prove whether or not you are using kerberos, but you might break a
> whole lot of other stuff in the process. I would discourage you from
> attempting it.
Paul, I have only one DC in this environment (and one client). That said,
how would I temporarily disable NTLM authentication to check?
I don't know and strangely enough I had a server in my dmz who was off by 21
minutes and can't sync its time. It was a virtual machine and have learned
that I had to use VMWare's host clock for my guest to get the proper time.
I'm guessing it is a VMWare bug. Anyways I am quite perplexed that this
machine was in the exact same scenario as you described and I can't explain
how it was able to function since it needs to work with AD quite
extensively. It had to be using NTLM as well.
If I find out how to test this all out I will post back on this thread.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Spin" <Spin@invalid.com> wrote in message
news:71q2doFmn2vjU1@mid.individual.net...
> "Paul Bergson [MVP-DS]" <pbbergs@nopspam_msn.com> wrote in message
> news:064384E5-6147-4587-9845-974935EABAA5@microsoft.com...
>> Unless you have modified the settings (At least if I recall correctly you
>> can change the time diffrence value) you must not be monitoring the
>> correct dc since this machine won't be able to authenticate nor will the
>> user trying to gain access to the domain.
>>
>> You can review the tickets and other kerberos settings. Check out the
>> available tools and Event number s at:
>> http://technet.microsoft.com/en-us/l.../cc738673.aspx
>>
>> Also verify you aren't gaining access via cached credentials. Although
>> that doesn't sound like it is the case since you have access to domain
>> resources. My one thought is NTLM. Disabling NTLM authentication would
>> quickly prove whether or not you are using kerberos, but you might break
>> a whole lot of other stuff in the process. I would discourage you from
>> attempting it.
>
> Paul, I have only one DC in this environment (and one client). That said,
> how would I temporarily disable NTLM authentication to check?
>
>
"Paul Bergson [MVP-DS]" <pbbergs@nopspam_msn.com> wrote in message
news:eiv1a5woJHA.4372@TK2MSFTNGP02.phx.gbl...
>I don't know and strangely enough I had a server in my dmz who was off by
>21 minutes and can't sync its time. It was a virtual machine and have
>learned that I had to use VMWare's host clock for my guest to get the
>proper time. I'm guessing it is a VMWare bug. Anyways I am quite perplexed
>that this machine was in the exact same scenario as you described and I
>can't explain how it was able to function since it needs to work with AD
>quite extensively. It had to be using NTLM as well.
>
> If I find out how to test this all out I will post back on this thread.
Paul, thanks for the Frank and honest reply. Don't worry about testing
this - I opened up a Microsoft support ticket for this and will post back
with their reply. The engineers I talked to were perplexed as well. I can
guarantee every one of us reading this thread don't quite know Kerberos as
well as we thought!