Here is a case we recently worked on about Kerberos authentication issue.
Symptoms:
Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.
Analysis:
In IIS log, it records "401 1 2148074241" that indicates the handle specified is invalid. |
2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/VD/Show.aspx - 80 - 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254
In Security log, the system was receiving Event ID 537 log.
Event Type: Failure Audit
Event Source: Security
Event Category: (2)
Event ID: 537
Date: 4/15/2009
Time: 3:47:32 PM
User: NT AUTHORITY\SYSTEM
Computer: XXX
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.101.nn.nn
Source Port: 1310
Caller Process Name: %16
Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.
In the network trace, we also can see
HTTP KRB Error: KRB5KRB_AP_ERR_SKEW (text/html) |
The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.
Check the timestamp between client and server network traces to verify that there is 13 minutes difference.
Solution:
It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:
Verifying Computer Settings for Troubleshooting Kerberos
http://technet.microsoft.com/en-us/library/cc787535.aspx
------------------------------------------------------------------
Make sure that the clocks are synchronized across the domain.
Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.
To synchronize the computer's time with the current time on the domain
1. Click Start, and then click Run.
2. Type net time /domain /set, and then click OK.
-------------------------------------------------------------------
More information:
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
http://support.microsoft.com/kb/215383/
Regards,
Anik Shen
Referrence:
http://blogs.msdn.com/b/asiatech/archive/2009/04/27/kerberos-authentication-failed-due-to-time-skew.aspx