Make Kerberos work even with wrong time on server

Posted on 2018-03-08
Low Priority
Last Modified: 2018-03-08
This is a strange one.  I have a developer who wants to test code on a dev server, but.... he has to change the clock for some reason.  Meaning the time is off on the server from the time on the rest of the domain.  So, once his PowerShell script changes the clock it then can't continue because Kerberos freaks out.  (PowerShell is running on his laptop and remoting into said server, but he doesn't change his laptop's time)

"Starting a command on the remote server failed with the following error message: WinRM cannot process the request.  The following error with errorcode 0x80090324 occured while using Kerberos authentication: There is a time and/or date difference between the client and server."

Everything I Google talks about time syncing errors and how to fix that... but that's not the problem.  I WANT time to be off and authentication to work.
Question by:Tim Phillips
  • 2
LVL 61

Accepted Solution

Cliff Galiher earned 1000 total points
ID: 42493020
Uhhh. That's sort of core to kerberos. Usually when a developer wants to do something that seems unreasonable,  it *is* unreasonable.

Push back. Of changing time is really that important, it can be done on a sandbox (non-domaon-joined or a separate dev-only domain)  and the dev/test client can also be set to the wrong time so they are still in sync.

Assisted Solution

by:Tim Phillips
Tim Phillips earned 0 total points
ID: 42493116
They found a work around.  They are sending script block over that changes the date and then after a certain amount of time it resyncs the clock via NTP.  The idea is to run his process outside of that but within the time constraint (300 seconds).  Example:

here's the script
Invoke-Command -ComputerName DEVSERVER -ScriptBlock {$DateTime = New-Object DateTime 2019, 5, 10
    Set-Date $DateTime -ErrorAction SilentlyContinue
    Start-Sleep -Seconds 300
    w32tm /resync /force
    Start-Sleep -Seconds 5
    w32tm /resync /force} -ErrorAction SilentlyContinue

He had to run the w32tm command twice because the first time it says "stale".

Author Closing Comment

by:Tim Phillips
ID: 42493117
Essentially Cliff is correct, but we came up with a nifty work around for our issue.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
Welcome to 2018! Exciting things lie ahead in the world of tech. To start things off, we compiled great member articles on how to stay safe, ways to learn, and much more! Read on to start your new year right.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question