本文介绍了一例因客户端与服务器时间偏差导致的Kerberos认证失败问题。症状表现为使用完全限定域名从域外访问带有集成Windows身份验证的虚拟目录网站时,需要多次点击弹出认证窗口中的“确定”按钮才能获取结果。通过分析IIS日志和安全日志,定位到问题根源为两台计算机间的时间偏差大于五分钟,并给出了相应的解决措施。
Here is a case we recently worked on about Kerberos authentication issue.
[b]Symptoms:[/b]
Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.
[b]Analysis:[/b]
[table]
|In IIS log, it records "[color=red]401 1 2148074241[/color]" that indicates the handle specified is invalid.|
[/table]
2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/VD/Show.aspx - 80 - 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254
In Security log, the system was receiving Event ID 537 log.
Event Type: Failure Audit
Event Source: Security
Event Category: (2)
Event ID: 537
Date: 4/15/2009
Time: 3:47:32 PM
User: NT AUTHORITY\SYSTEM
Computer: XXX
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.101.nn.nn
Source Port: 1310
Caller Process Name: %16
Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.
In the network trace, we also can see
[table]
|HTTP KRB Error: KRB5KRB_AP_ERR_SKEW (text/html)|
[/table]
The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.
Check the timestamp between client and server network traces to verify that there is 13 minutes difference.
[b]Solution:[/b]
It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:
Verifying Computer Settings for Troubleshooting Kerberos
http://technet.microsoft.com/en-us/library/cc787535.aspx
------------------------------------------------------------------
Make sure that the clocks are synchronized across the domain.
Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.
To synchronize the computer's time with the current time on the domain
1. Click Start, and then click Run.
2. Type net time /domain /set, and then click OK.
-------------------------------------------------------------------
[b]More information:[/b]
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
http://support.microsoft.com/kb/215383/
Regards,
Anik Shen
Referrence:
http://blogs.msdn.com/b/asiatech/archive/2009/04/27/kerberos-authentication-failed-due-to-time-skew.aspx
[b]Symptoms:[/b]
Assume there is a web site which provides search functions under virtual directory with the Integrated Windows authentication. When clients use FQDN access the web site from out-of-domain, they have to click “OK” button three times on popup authentication windows to get the result grid back.
[b]Analysis:[/b]
[table]
|In IIS log, it records "[color=red]401 1 2148074241[/color]" that indicates the handle specified is invalid.|
[/table]
2009-04-15 00:30:26 W3SVC1 10.101.nn.nn GET /Portal/VD/Show.aspx - 80 - 10.1.19.53 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.1) 401 2 2148074254
In Security log, the system was receiving Event ID 537 log.
Event Type: Failure Audit
Event Source: Security
Event Category: (2)
Event ID: 537
Date: 4/15/2009
Time: 3:47:32 PM
User: NT AUTHORITY\SYSTEM
Computer: XXX
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.101.nn.nn
Source Port: 1310
Caller Process Name: %16
Generally, status code 0xC000006D means "STATUS_LOGON_FAILURE” and sub status code 0xC0000133 translate to “STATUS_TIME_DIFFERENCE_AT_DC”. The problem could be caused because there is a time difference (greater than 5 minutes) between the two computers.
In the network trace, we also can see
[table]
|HTTP KRB Error: KRB5KRB_AP_ERR_SKEW (text/html)|
[/table]
The KRB5KRB_AP_ERR_SKEW indicates clock skew too great.
Check the timestamp between client and server network traces to verify that there is 13 minutes difference.
[b]Solution:[/b]
It is clear now that the time difference (>5 min) between client and server causes the Kerberos authentication issue. Change the client machine time to synchronize with IIS server and resolve the issue. Refer to this article:
Verifying Computer Settings for Troubleshooting Kerberos
http://technet.microsoft.com/en-us/library/cc787535.aspx
------------------------------------------------------------------
Make sure that the clocks are synchronized across the domain.
Many network services, including Kerberos authentication are dependent on time synchronization throughout the domain. You can manually synchronize a computer with the time on the domain.
To synchronize the computer's time with the current time on the domain
1. Click Start, and then click Run.
2. Type net time /domain /set, and then click OK.
-------------------------------------------------------------------
[b]More information:[/b]
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
http://support.microsoft.com/kb/215383/
Regards,
Anik Shen
Referrence:
http://blogs.msdn.com/b/asiatech/archive/2009/04/27/kerberos-authentication-failed-due-to-time-skew.aspx
扫一扫
3404
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
