Time different on client machine and server prevents login

I have a customer with a laptop and when he heads back to his docking station after being out of the office for a day or two (not in a different time zone), he tries to login to the network and his laptop stops the login and reports an issue where his local time is different than the server, and disallows him to login. As i've been researching, this is caused by Kerberos security relying on correct time between a client machine and the server. I had the customer disconnect from the network, login as the local administrator, plug back into the network, log off, log back in as himself, and that time around he was able to login fine.

The odd thing is though when he logged in as the local admin, the time on the laptop was indeed correct

Anyone have an idea why this is happening? It's happened to him in the past, and i've done this with him again and again to patch the issue.
newgentechnologiesAsked:
Who is Participating?
 
Brian PierceConnect With a Mentor PhotographerCommented:
0
 
brittonvCommented:
What is the Client OS?

Is the time acutally different (greater the 20 Seconds) between the workstation and the Server?  If not, on the account tab of the user properties in Active directory Users and computers, "logon without kerberos preauthentication" is it selected.   Try deslecting this box.

0
 
newgentechnologiesAuthor Commented:
Yes, the time difference is around 30 seconds.

Client OS is XP Pro SP2.

Would disabling Kerberos preauthentication potentially open up a security threat?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
McKnifeCommented:
First you said "The odd thing is though when he logged in as the local admin, the time on the laptop was indeed correct", then you say "Yes, the time difference is around 30 seconds" - so where do you see these 30 seconds?
Also look into your system event log, you will find messages about w32time service that corrected the system time - when do they appear?
0
 
brittonvCommented:
I can't comment on the securit threat question, but since the time is actually off that recommendation doesn't apply to you.

What is the status of your w32time service on this client machine?

Is it started and configured for Automatic startup?

0
 
ChiefITConnect With a Mentor Commented:
Time is very important to what I do. We have to time stamp all of our scientific sensors so they can be cross referenced.

I have put together a process to show others how to set up an authoritative time server for the domain. We use this process on all of our scientific ships. I hope this helps.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22799695.html
0
 
brittonvCommented:
Agreed, if you have non windows devices, or just want a real time server, then NTP is the way to go!  I too find it much easier to work with then Windows.

Windows time is usually, 'okay'.  But like most windows operations, you will run into problems with it eventually.

While I don't have the symtime Utility ChiefIT mentioned, any base installation of Linux can run as a NTP Time server.  We have 2 for redundancy, connecting to the same Stratum 1 servers.

But your computer 'should' be getting its time from the PDC Before it attempts to log in.  That is why I asked about the state of your time service.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.