Time different on client machine and server prevents login

Posted on 2007-10-03
Medium Priority
Last Modified: 2013-12-04
I have a customer with a laptop and when he heads back to his docking station after being out of the office for a day or two (not in a different time zone), he tries to login to the network and his laptop stops the login and reports an issue where his local time is different than the server, and disallows him to login. As i've been researching, this is caused by Kerberos security relying on correct time between a client machine and the server. I had the customer disconnect from the network, login as the local administrator, plug back into the network, log off, log back in as himself, and that time around he was able to login fine.

The odd thing is though when he logged in as the local admin, the time on the laptop was indeed correct

Anyone have an idea why this is happening? It's happened to him in the past, and i've done this with him again and again to patch the issue.
Question by:newgentechnologies
LVL 70

Accepted Solution

KCTS earned 1000 total points
ID: 20007950

Expert Comment

ID: 20008024
What is the Client OS?

Is the time acutally different (greater the 20 Seconds) between the workstation and the Server?  If not, on the account tab of the user properties in Active directory Users and computers, "logon without kerberos preauthentication" is it selected.   Try deslecting this box.


Author Comment

ID: 20008039
Yes, the time difference is around 30 seconds.

Client OS is XP Pro SP2.

Would disabling Kerberos preauthentication potentially open up a security threat?
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

LVL 57

Expert Comment

ID: 20008333
First you said "The odd thing is though when he logged in as the local admin, the time on the laptop was indeed correct", then you say "Yes, the time difference is around 30 seconds" - so where do you see these 30 seconds?
Also look into your system event log, you will find messages about w32time service that corrected the system time - when do they appear?

Expert Comment

ID: 20008356
I can't comment on the securit threat question, but since the time is actually off that recommendation doesn't apply to you.

What is the status of your w32time service on this client machine?

Is it started and configured for Automatic startup?

LVL 39

Assisted Solution

ChiefIT earned 1000 total points
ID: 20020130
Time is very important to what I do. We have to time stamp all of our scientific sensors so they can be cross referenced.

I have put together a process to show others how to set up an authoritative time server for the domain. We use this process on all of our scientific ships. I hope this helps.


Expert Comment

ID: 20021711
Agreed, if you have non windows devices, or just want a real time server, then NTP is the way to go!  I too find it much easier to work with then Windows.

Windows time is usually, 'okay'.  But like most windows operations, you will run into problems with it eventually.

While I don't have the symtime Utility ChiefIT mentioned, any base installation of Linux can run as a NTP Time server.  We have 2 for redundancy, connecting to the same Stratum 1 servers.

But your computer 'should' be getting its time from the PDC Before it attempts to log in.  That is why I asked about the state of your time service.


Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question