Make Kerberos work even with wrong time on server

This is a strange one.  I have a developer who wants to test code on a dev server, but.... he has to change the clock for some reason.  Meaning the time is off on the server from the time on the rest of the domain.  So, once his PowerShell script changes the clock it then can't continue because Kerberos freaks out.  (PowerShell is running on his laptop and remoting into said server, but he doesn't change his laptop's time)

"Starting a command on the remote server failed with the following error message: WinRM cannot process the request.  The following error with errorcode 0x80090324 occured while using Kerberos authentication: There is a time and/or date difference between the client and server."

Everything I Google talks about time syncing errors and how to fix that... but that's not the problem.  I WANT time to be off and authentication to work.
LVL 6
Tim PhillipsWindows Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Uhhh. That's sort of core to kerberos. Usually when a developer wants to do something that seems unreasonable,  it *is* unreasonable.

Push back. Of changing time is really that important, it can be done on a sandbox (non-domaon-joined or a separate dev-only domain)  and the dev/test client can also be set to the wrong time so they are still in sync.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim PhillipsWindows Systems AdministratorAuthor Commented:
They found a work around.  They are sending script block over that changes the date and then after a certain amount of time it resyncs the clock via NTP.  The idea is to run his process outside of that but within the time constraint (300 seconds).  Example:

here's the script
Invoke-Command -ComputerName DEVSERVER -ScriptBlock {$DateTime = New-Object DateTime 2019, 5, 10
    Set-Date $DateTime -ErrorAction SilentlyContinue
    Start-Sleep -Seconds 300
    w32tm /resync /force
    Start-Sleep -Seconds 5
    w32tm /resync /force} -ErrorAction SilentlyContinue


He had to run the w32tm command twice because the first time it says "stale".
0
Tim PhillipsWindows Systems AdministratorAuthor Commented:
Essentially Cliff is correct, but we came up with a nifty work around for our issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.