Time different on client machine and server prevents login

Posted on 2007-10-03
Last Modified: 2013-12-04
I have a customer with a laptop and when he heads back to his docking station after being out of the office for a day or two (not in a different time zone), he tries to login to the network and his laptop stops the login and reports an issue where his local time is different than the server, and disallows him to login. As i've been researching, this is caused by Kerberos security relying on correct time between a client machine and the server. I had the customer disconnect from the network, login as the local administrator, plug back into the network, log off, log back in as himself, and that time around he was able to login fine.

The odd thing is though when he logged in as the local admin, the time on the laptop was indeed correct

Anyone have an idea why this is happening? It's happened to him in the past, and i've done this with him again and again to patch the issue.
Question by:newgentechnologies
    LVL 70

    Accepted Solution

    LVL 8

    Expert Comment

    What is the Client OS?

    Is the time acutally different (greater the 20 Seconds) between the workstation and the Server?  If not, on the account tab of the user properties in Active directory Users and computers, "logon without kerberos preauthentication" is it selected.   Try deslecting this box.


    Author Comment

    Yes, the time difference is around 30 seconds.

    Client OS is XP Pro SP2.

    Would disabling Kerberos preauthentication potentially open up a security threat?
    LVL 52

    Expert Comment

    First you said "The odd thing is though when he logged in as the local admin, the time on the laptop was indeed correct", then you say "Yes, the time difference is around 30 seconds" - so where do you see these 30 seconds?
    Also look into your system event log, you will find messages about w32time service that corrected the system time - when do they appear?
    LVL 8

    Expert Comment

    I can't comment on the securit threat question, but since the time is actually off that recommendation doesn't apply to you.

    What is the status of your w32time service on this client machine?

    Is it started and configured for Automatic startup?

    LVL 38

    Assisted Solution

    Time is very important to what I do. We have to time stamp all of our scientific sensors so they can be cross referenced.

    I have put together a process to show others how to set up an authoritative time server for the domain. We use this process on all of our scientific ships. I hope this helps.
    LVL 8

    Expert Comment

    Agreed, if you have non windows devices, or just want a real time server, then NTP is the way to go!  I too find it much easier to work with then Windows.

    Windows time is usually, 'okay'.  But like most windows operations, you will run into problems with it eventually.

    While I don't have the symtime Utility ChiefIT mentioned, any base installation of Linux can run as a NTP Time server.  We have 2 for redundancy, connecting to the same Stratum 1 servers.

    But your computer 'should' be getting its time from the PDC Before it attempts to log in.  That is why I asked about the state of your time service.


    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now